Duplicate Devices in Carbon Black Cloud After a Sensor Has Experienced Ungraceful System Shutdown
search cancel

Duplicate Devices in Carbon Black Cloud After a Sensor Has Experienced Ungraceful System Shutdown

book

Article ID: 288228

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter) Carbon Black Cloud Prevention Carbon Black Cloud Workload

Issue/Introduction

  • Duplicate entries are seen for the same device in the console. Each with a different "Registered" Date/Time and a unique Device ID.
  • Devices may go to the default "Standard" policy instead of the policy they were assigned at install.
  • The Windows System Event log shows error 41's: 
    The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
  • The sensor's confer.log then shows corruption errors followed by a registration attempt: 
    WARNING ZipContainerManager::ProcessExistingZipUnsafe: cannot load (corrupt) C:\ProgramData\CarbonBlack\DataFiles\datafile3: 12 resetting and re-requesting.
...
ERROR     DbSafeInitialize: failed to initialize C:\ProgramData\CarbonBlack\DataFiles\db_rep database: err[not an error]
WARNING   DbSafeInitialize: trying to recover
INFO      RepUtilRestoreSafeDbBackup: restored rep_db from safe backup
.....
INFO      CloudTask::OfflineInstall::RunTask: Offline Install detected and Cloud is now reachable - Attempting to register...
INFO      RepUtilRegisterAfterOfflineInstall: Beginning registration attempt..

 

Environment

  • Carbon Black Cloud Windows sensors: 4.0.3 and Below
  • Carbon Black Cloud Backend: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

  • Ungraceful / hard shutdowns causing corruption of the sensor files.
  • During this corruption the registration and policy information is lost, so it re-registers and may change policy depending on the settings enabled in the org.

Resolution

  • Investigations are underway to make the sensor more robust during ungraceful shutdowns.
  • This behavior is resolved in the 4.1 sensor once it is released.
  • This being tracked under CRE-18013 / DSEN-27717 / DSEN-27719.
Powered by Wolken Software