Avoiding Duplicate Sensor ID's When Imaging or Using VDI
book
Article ID: 289650
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
How to avoid duplicate sensor ID's when registering sensors against the CB Cloud
Environment
CB Cloud Windows Sensor: Versions older than 3.8.0.535
CB Cloud Linux Sensor: Versions older then 2.12
Microsoft Windows: All supported versions
Linux: All supported versions
Resolution
Upgrade to sensor version 3.8.0.535 (Windows) or 2.12.x (Linux) and Higher as additional sensor functionality has been implemented to avoid duplicate device_id's
Additional Information
The newer sensor versions and corresponding back-end changes have a way to check to see if the sensor is using a duplicate device_id, by using a machine UUID/hash generated via static information from the OS.
When the sensor is started, it generates a hash of the system, which will never be the same between 2 different systems, even clones or VDI systems -- but the hash will not change on the same system, even after a system restart.
When a sensor checks in with a device_id and corresponding hash, the cloud backend verifies that the device UUID/hash is the same as previously associated with the device_id.
If the stored hash is different than the one being presented by the sensor during check-in, then the backend tells the sensor to automatically re-register itself.
This prevents duplicate device_id's.
These settings can be modified during installation of the Windows sensor per the AUTO_REREGISTER_FOR_VDI_CLONES= setting described here.
AUTO_REREGISTER_FOR_VDI_CLONES=1 is recommended for physical machines to prevent them from changing device_id.
There is a behavior in EA-20280 which will cause reregistered machines to be marked as VDI and linked to the original device_id.