EDR: Windows Sensor not connecting CBLR session successfully
search cancel

EDR: Windows Sensor not connecting CBLR session successfully

book

Article ID: 289158

calendar_today

Updated On:

Products

Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Single online sensor cannot connect a CBLR (Carbon Black Live Repsonse) session from the EDR console, but others endpoints can.

Environment

  • EDR Server: All Supported Versions
  • EDR Sensor: All Supported Versions
  • Windows OS: All Supported Versions

Cause

In '/var/log/cb/liveresponse/debug.log', you will find messages like: 
8/12/21 4:46:46.000 AM
2021-08-12 04:46:46 [46752] <warning> cb.liveresponse.lr_api_blueprint - UnknownSessionException: Session XX not found.

8/12/21 4:46:44.000 AM
2021-08-12 04:46:44 [46752] <warning> cb.liveresponse.engine - Removing session: Session[XX, b'<Hostname>'(<sensorid>), pending]

8/12/21 4:46:44.000 AM
2021-08-12 04:46:44 [46752] <warning> cb.liveresponse.session - Session[XX, b'<Hostname>'(<sensorid>), pending] Timed out waiting for sensor

8/12/21 4:46:39.000 AM
2021-08-12 04:46:39 [46752] <warning> cb.liveresponse.lr_sensor_blueprint - InvalidClientCert: Client certificate either invalid or missing: '<SensorGroupCert>'.

Resolution

The sensor group certificate does not match and the sensor must be uninstalled and reinstalled to put the correct certificates in place.
Powered by Wolken Software