CB PSC: Multiple Live Response sessions for an endpoint will be killed if one session detaches

CB PSC: Multiple Live Response sessions for an endpoint will be killed if one session detaches

search cancel

CB PSC: Multiple Live Response sessions for an endpoint will be killed if one session detaches

book

Article ID: 290313

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

When a user runs detach -q in one Live Response session for an endpoint, other users with a session open on that endpoint will receive 404s when attempting to execute commands

Environment

PSC Console: .43.x and Higher
- CB Defense
- CB ThreatHunter
CB PSC Sensor: 3.2 and Higher

Cause

This behavior is expected. Live Response will only create one session on an endpoint. Issuing the detach command tells the sensor to remove the session from memory.

Resolution

Use the "End my session" button or detach command without the -q flag to just disconnect one session
Users that lose connection can refresh the page to establish a new connection

Feedback

thumb_up Yes

thumb_down No