EDR: sensor is non-functional if carbonblack.db file can't be decrypted
Article ID: 289640
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- OSX sensor stops reporting to the server.
- Sensor log shows:
"E1017 12:48:47.310252 435830208 SensorDatabase.cpp:889] OpenEncryptDBHandle : could not access DB post encryption: file is encrypted or is not a database Result[26] E1017 12:48:47.310557 435830208 SensorDatabase.cpp:896] OpenEncryptDBHandle : could not reopen sqlite db: unable to open database file Result[14] E1017 12:48:47.310600 435830208 SensorDatabase.cpp:79] Start: SensorDatabase could not open db file[/var/lib/cb/carbonblack.db E1017 12:48:47.310628 435830208 sensor_service.cpp:400] on_startUnable to start the Sensor Database
Environment
EDR OSX sensor: 6.2.6 and 6.3
Cause
Bug CB-33318.
Resolution
- This issue will be fixed on a future version.
- Workaround:
1. Make sure AV exclusions are in place
2. Make sure installing sensor with the root account and enable full disk access.
3. Remove the carbonblack.db from the /var/lib/cb directory
4. Restart the sensor
2. Make sure installing sensor with the root account and enable full disk access.
3. Remove the carbonblack.db from the /var/lib/cb directory
4. Restart the sensor
Feedback
Yes
No
Powered by
