Endpoint Standard: Signature Updates Fail With Default Settings
book
Article ID: 288876
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Signature definitions are out of date as reported in the Console
Signature definitions may never update or only update periodically
The URL is open through proxy and/or firewall
http://updates2.cdc.carbonblack.io/update2
The upd.log may include the following error
Param 9 --internet-srvs=http://updates2.cdc.carbonblack.io/update2
Callback: No other server, update aborted
Failed to call check for update: 48
Update finished with code 2
The confer.log may show the following errors
Av.Avt.UpdateServers.GetServerType: on site
Av.Avt.UpdateServers.DoCheck: Found http://updates2.cdc.carbonblack.io/update2, time 0.XXXXXXXX, proxy off
Av.Avt.UpdateServers.Get: on site - http://updates2.cdc.carbonblack.io/update2,, proxy 0, local 0, master 0
Av.Avt.Signature: Update started, it may take a while
Av.Avt.Signature: Failed to update, error 2
Pcaps may show the http session initializing successfully and the Sensor successfully downloading the master.idx file and other .info.gz files
The session will end without error and close out 120 seconds later
Environment
Carbon Black Cloud (formerly known as CB Defense PSC)Console: 0.45 and higher
Endpoint Standard(formerly known as CB Defense): 3.3.x.x and higher
Microsoft Windows: All supported versions
Local Scanner installled and enabled by policy to use CB servers for updates
Cause
There is likely something in the perimeter firewall or proxy configuration affecting downloads through http sessions
The Local Scanner settings default to http sessions for both onsite and offsite update servers
Resolution
Configure the Local Scanner policy to use https for Signature updates
Select Enforce > Policies
Select the affected policy
Select the Local Scanner tab
Click the Add button for "UPDATE SERVERS FOR INTERNAL DEVICES"
Use the same URL and change the protocol to https
https://updates2.cdc.carbonblack.io/update2
Either mark as the Preferred Server by checking the Preferred Servers box or deleting the entry for http
Save policy changes (It may be helpful to update the Sensor UI message so policy change can be confirmed)
Either run update manually with RepCLI or allow the Sensor to update on schedule and monitor results
Additional Information
Sensor versions previous to 3.3.x.x will not be able to update signatures over an https session
The settings for offsite update servers can also be changed to https if desired
If issues persist and no evidence of traffic blocks is present, please open a support case for assistance