EDR: Not Able to Download Binary File
Article ID: 289715
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
In binary detail page, "Download" link failed with error "The binary file does not exist".
Environment
- EDR Server: All versions
Cause
Please noted that binary is global. There is only one copy of binary for the entire instance.
Possible scenarios:
Possible scenarios:
- If the binary first executed on sensor A, and A failed to upload the binary file, server doesn't have the binary file.
- If sensor A did upload the binary. But at one point, process event of the binary was purged due to purge settings. A cron job called binary_purge would purge the binary because it has no related process. Then server doesn't have the binary file anymore.
- If binary sharing is enabled, but the unique binary was lost when sending to Alliance.
- If binary sharing is enabled, but having trouble to connect to Alliance.
- If modulestore_purge cron job is enabled, and the first seen time of the binary has passed the job threshold.
- A manual /var/cb/data/modulestore purge was done.
Resolution
Per our current design, binary file that is for download is uploaded by the first execution sensor. If it's lost or purged, server will not have that file ever again in the future. We have this design to optimize performance.
Additional Information
Binary metadata is updated based on the last execution, is different than binary file.
Feedback
Yes
No
Powered by
