EDR: Unable to Stop EDR Sensor Service Version 7.2.0 With 'sc stop carbonblackk' Fails With Error Code 105T
search cancel

EDR: Unable to Stop EDR Sensor Service Version 7.2.0 With 'sc stop carbonblackk' Fails With Error Code 105T

book

Article ID: 291049

calendar_today

Updated On:

Products

Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

sc stop carbonblackk no longer works with 7.2.0 and above to stop sensor service

Environment

  • EDR (formerly CB Response) sensor: 7.2.0 and above
  • Microsoft Windows: All Supported versions

Cause

This is due to the new tamper protection feature added to sensor 7.2.0

Resolution

From an elevated command prompt run 'fltmc unload carbonblackk' to unload the kernel driver after tamper protection is confirmed to be disabled

Additional Information

  • To verify the driver has been unloaded run 'fltmc' in an elevated command prompt to confirm 'carbonblackk' is not listed  
  • Restarting the sensor service can be accomplished by starting the sensor service using the msc snapin or rebooting the endpoint
Powered by Wolken Software