Carbon Black Cloud: Multiple Cloned Linux VDI are Reporting under the same Device ID
search cancel

Carbon Black Cloud: Multiple Cloned Linux VDI are Reporting under the same Device ID


Article ID: 289604


Updated On:


Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)


  • Events produced by all cloned worker nodes will report under the Device ID for the machine that was cloned to make the template.
  • The template VM is inadvertently registered as as a clone when the template image is created


  • Carbon Black Linux Sensor: All Supported Versions
  • Linux: All Supported Versions


  • To prevent this issue from happening, the template machine’s sensor can be manually de-registered by removing both of these fields from the cfg.ini before the snapshot is taken. This will cause each cloned machine to register as a distinct endpoint when the sensor comes up for the first time. (We do not advise modifying the data in these fields - only removing them completely.)
  • Alternately, the file could be stripped of all detail except these fields: 


Additional Information

  • The Linux sensor keeps it’s primary configuration details along with some more ephemeral state in the /var/opt/carbonblack/psc/cfg.ini file.
  • The cfg.ini file is created when the sensor is installed, changes while the sensor is running, and is used to manage many longer term stateful processes such as software upgrades, communication configuration and state, and device registration information.
  • The sensor normally reads the cfg.ini file once on startup and writes it one or more times when the sensor needs to update this information. Therefore the cfg.ini file should only be edited while the sensor is stopped. Modifications done while the sensor is running are likely to be overwritten by the sensor’s next update of the file, and in any case will not be visible to the sensor until it’s next startup. However, it is advisable to plan what changes to make in order to reduce the time span of sensor downtime that occurs while editing the file.