EDR: CBLR mode not compatible with configuration
Article ID: 290719
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Presence of log error message: Tid[11A4] YYYY-MM-DD HH:MM:SS (w): CBLR mode not compatible with configuration.
- Sensor unable to initiate Live Response session.
Environment
- EDR Sensor (formerly Cb Response) 6.2.1 or higher
- Windows OS: Any supported version
Cause
In sensor 6.2.1 and newer, a registry key mechanism was added to allow for a sensor-enforced kill switch in EDR (formerly Cb Response) that ensures that the sensor never initiates a Live Response session.
Resolution
Review registry keys on the endpoint and delete the registry key triggering the behavior. The mechanism is only enabled when a specific registry key is present.
Creating or presence of a DWORD registry value HKLM\SOFTWARE\CarbonBlack\config\CBLRMode will cause CBLR to no longer connect to an endpoint.
The value of the key is ignored and not necessary.
Creating or presence of a DWORD registry value HKLM\SOFTWARE\CarbonBlack\config\CBLRMode will cause CBLR to no longer connect to an endpoint.
The value of the key is ignored and not necessary.
Additional Information
This is not a common resolution to Live Response issues as it is not a common configuration.
Feedback
Yes
No
Powered by
