Carbon Black Cloud: Sophos Updates Being Blocked By Sensor
Article ID: 291368
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Sophos Auto Updates or Installer fails due to CBC Sensor's tamper protection rule
Environment
- Carbon Black Cloud Sensor: 3.6 and Higher
- Microsoft Windows: All Supported Versions
Cause
- The Sophos installer is trying to modify the Sensor related files and registry
- This triggers the CBC Sensor tamper protection rules which work as designed
Resolution
- Make sure that exclusions are in place for both CBC & Sophos
- Reach out to Sophos support to get a version of the installer which doesn't touch the CBC registry keys
- Although an updated version of Sophos is the most secure solution, as a workaround, the sensor can be put into bypass during the Sophos upgrade and then the bypass removed after the upgrade is complete
Additional Information
- Sophos has at least one bug opened for this issue tracked as WINEP-37499
- This issue is triggering tamper protection on multiple different security applications
Feedback
Yes
No
Powered by
