CBC Endpoint Standard: The console shows duplicate device names after a sensor host has experienced abnormal system shutdown.
Article ID: 288228
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- The sensor's confer.log in the sensor diagnostics shows this kind of corruption error:
12/05/23 06:35:40.090: 2720 WARNING ZipContainerManager::ProcessExistingZipUnsafe: cannot load (corrupt) C:\ProgramData\CarbonBlack\DataFiles\datafile3: 12 resetting and re-requesting.
- The console's inventory / endpoints page shows duplicate entries for device names with different device ID's in the fly-out panel on the right.
- The Windows System Event log shows error 41's like this:
"The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly."
Environment
- Carbon Black Cloud Windows sensors: All version
- Carbon Black Cloud Backend: All versions
- Microsoft Windows operating systems: All versions
Cause
The Windows computer has experienced some kind of abnormal shutdown.
Resolution
When a Windows computer abnormally shuts down, it's possible for the CBC Sensor's data files to be corrupted.
Fortunately, the CBC sensor is capable of detecting corrupt data files and will delete the bad files, and force the sensor to re-register which forces a new set of valid data files to be downloaded to the computer. All the user will see is a duplicate sensor device in the endpoints page, but with a new device id.
Fortunately, the CBC sensor is capable of detecting corrupt data files and will delete the bad files, and force the sensor to re-register which forces a new set of valid data files to be downloaded to the computer. All the user will see is a duplicate sensor device in the endpoints page, but with a new device id.
Feedback
Yes
No
Powered by
