App Control: Bad Rule Causing Mass Blocks / Systems to not start

search cancel

book

calendar_today

Carbon Black App Control (formerly Cb Protection)

A bad or unsatisfactory block rule was created or modified

If the App Control Server/Database is down:

Boot server(s) into safe mode
Go to Start > Run > services.msc
Set App Control agent service to disabled
Start Windows normally
Open an admin CMD promt
Run command:
```
fltmc unload paritydriver
```
Remove the offending rule in the next section, then pick up again on step 8 of "correcting agents" section

Removing the offending rule:

Login to the App Control console
Determine which rule is causing the block:
- https://community.carbonblack.com/t5/Knowledge-Base/CB-Protection-How-to-Tell-What-Rule-Is-Causing-a-Block/ta-p/66272
Disable the offending rule.
Navigate to Assets > Computers
Confirm agents match "Current CL Version" for the server

Options to correct agents that are unable to boot or receive configlist updates:

Uninstall/Reinstall the agent
- https://community.carbonblack.com/t5/Knowledge-Base/Cb-Protection-How-to-Uninstall-an-Agent-via-Safe-Mode-Windows/ta-p/63180
Update the CL of Effected Machines:
1. Boot effected machines(s) into safe mode
2. Go to Start > Run > services.msc
3. Set CB Protection agent service to disabled
4. Start Windows normally
5. Open an admin CMD promt
6. Run command:
```
fltmc unload paritydriver
```
7. Go to Start > Run > services.msc
8. Set App Control agent service to automatic startup
9. Start App Control agent service
10. In command prompt, run commands:
```
cd c:\program files (x86)\bit9\parity agent 
dascli status 
Under "Server Information", wait for confliglist line to say <CLINumber> of <CLINumber> 100% (or higher than value found in "Removing the Rule" ) 
```
11. Restart Device
12. Confirm device is checking back into CB Console

Uninstalling/reinstalling agents will cause them to go through initialization. Please refer to user guide

thumb_up Yes

thumb_down No