Carbon Black Cloud: Multiple Cloned Linux VDI are Reporting under the same Device ID
book
Article ID: 289604
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Events produced by all cloned worker nodes will report under the Device ID for the machine that was cloned to make the template.
The template VM is inadvertently registered as as a clone when the template image is created
Environment
Carbon Black Linux Sensor: All Supported Versions
Linux: All Supported Versions
Resolution
To prevent this issue from happening, the template machine’s sensor can be manually de-registered by removing both of these fields from the cfg.ini before the snapshot is taken. This will cause each cloned machine to register as a distinct endpoint when the sensor comes up for the first time. (We do not advise modifying the data in these fields - only removing them completely.)
DeviceId
RegistrationId
Alternately, the cfg.in file could be stripped of all detail except these fields:
PemFile
PubKeyFile
CompanyCode
BackendServer
CBLR
Additional Information
The Linux sensor keeps it’s primary configuration details along with some more ephemeral state in the /var/opt/carbonblack/psc/cfg.ini file.
The cfg.ini file is created when the sensor is installed, changes while the sensor is running, and is used to manage many longer term stateful processes such as software upgrades, communication configuration and state, and device registration information.
The sensor normally reads the cfg.ini file once on startup and writes it one or more times when the sensor needs to update this information. Therefore the cfg.ini file should only be edited while the sensor is stopped. Modifications done while the sensor is running are likely to be overwritten by the sensor’s next update of the file, and in any case will not be visible to the sensor until it’s next startup. However, it is advisable to plan what changes to make in order to reduce the time span of sensor downtime that occurs while editing the file.