Endpoint Standard: Signature Updates Fail With Default Settings
search cancel

Endpoint Standard: Signature Updates Fail With Default Settings

book

Article ID: 288876

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Signature definitions are out of date as reported in the Console
  • Signature definitions may never update or only update periodically
  • The URL is open through proxy and/or firewall 
    http://updates2.cdc.carbonblack.io/update2
  • The upd.log may include the following error 
    Param 9 --internet-srvs=http://updates2.cdc.carbonblack.io/update2
Callback: No other server, update aborted
Failed to call check for update: 48
Update finished with code 2
  • The confer.log may show the following errors 
    Av.Avt.UpdateServers.GetServerType: on site
Av.Avt.UpdateServers.DoCheck: Found http://updates2.cdc.carbonblack.io/update2, time 0.XXXXXXXX, proxy off
Av.Avt.UpdateServers.Get: on site - http://updates2.cdc.carbonblack.io/update2,, proxy 0, local 0, master 0
Av.Avt.Signature: Update started, it may take a while
Av.Avt.Signature: Failed to update, error 2
  • Pcaps may show the http session initializing successfully and the Sensor successfully downloading the master.idx file and other .info.gz files 
  • The session will end without error and close out 120 seconds later

Environment

  • Carbon Black Cloud (formerly known as CB Defense PSC)Console: 0.45 and higher
  • Endpoint Standard(formerly known as CB Defense): 3.3.x.x and higher
  • Microsoft Windows: All supported versions
  • Local Scanner installled and enabled by policy to use CB servers for updates

Cause

  • There is likely something in the perimeter firewall or proxy configuration affecting downloads through http sessions
  • The Local Scanner settings default to http sessions for both onsite and offsite update servers

Resolution

Configure the Local Scanner policy to use https for Signature updates
  1. Select Enforce > Policies
  2. Select the affected policy
  3. Select the Local Scanner tab
  4. Click the Add button for "UPDATE SERVERS FOR INTERNAL DEVICES"
  5. Use the same URL and change the protocol to https 
    https://updates2.cdc.carbonblack.io/update2
  6. Either mark as the Preferred Server by checking the Preferred Servers box or deleting the entry for http
  7. Save policy changes (It may be helpful to update the Sensor UI message so policy change can be confirmed)
  8. Either run update manually with RepCLI or allow the Sensor to update on schedule and monitor results

Additional Information

  • Sensor versions previous to 3.3.x.x will not be able to update signatures over an https session
  • The settings for offsite update servers can also be changed to https if desired
  • If issues persist and no evidence of traffic blocks is present, please open a support case for assistance
Powered by Wolken Software