Endpoint Standard: Local Mirror Server is not receiving signature updates
Article ID: 290962
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Local mirror scheduled job is running but signatures are not updating.
On the mirror, from an admin command prompt, to verify the update run
On the mirror, from an admin command prompt, to verify the update run
C:\inetpub\wwwroot\CBD_SignatureUpdates\do_update.batThis will return zero files copied
Environment
- Endpoint Standard (formerly CB Defense): All supported versions
- Local Mirror: Widows
- Microsoft Windows: All supported versions
Cause
Networking issue:
To troubleshoot
1. launch wireshark, start recording
2. As before, from an admin command prompt, run
Fireshark analysis:
Update queries signature source
To troubleshoot
1. launch wireshark, start recording
2. As before, from an admin command prompt, run
C:\inetpub\wwwroot\CBD_SignatureUpdates\do_update.bat3. The moment it completes, stop the wireshark, save the capture
Fireshark analysis:
Update queries signature source
406 2.925720000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx DNS 87 Standard query 0xe6db A updates2.cdc.carbonblack.ioGets IP back for updates2
408 2.938469000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx DNS 151 Standard query response 0xe6db A 13.224.245.106 A 13.224.245.21 A 13.224.245.2 A 13.224.245.65Drops name and uses IP
412 2.947251000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx HTTP 244 2097920 2097920 2097920 GET http://13.224.245.65/update2/idx/master.idx HTTP/1.1403 denial
419 2.975380000 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx HTTP 969 64128 64128 64128 HTTP/1.1 403 Forbidden (text/html)
Resolution
Edit the do_update.bat file adding "--no-dns-resolve" to the command lines
Giving
Giving
upd.exe --mirror --no-dns-resolve --no-config --update-modules-list=VDF,AVE2 --master-file=/idx/master.idx --product-file=/idx/savapi4lib-win32-en.info.gz --key-dir=. --install-dir=%outdir%\32 --internet-srvs=http://updates2.cdc.carbonblack.io/update2 upd.exe --mirror --no-dns-resolve --no-config --update-modules-list=VDF,AVE2 --master-file=/idx/master.idx --product-file=/idx/savapi4lib-win64-en.info.gz --key-dir=. --install-dir=%outdir%\64 --internet-srvs=http://updates2.cdc.carbonblack.io/update2Rerun
C:\inetpub\wwwroot\CBD_SignatureUpdates\do_update.batThe Mirror will now pull down the latest signatures from updates2.cdc.carbonblack.io
Feedback
Yes
No
Powered by
