CB Response: CBStream Driver can cause hang on system startup
search cancel

CB Response: CBStream Driver can cause hang on system startup

book

Article ID: 291604

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Services can become stuck due to the CarbonBlack WFP NetMon Driver failing to signal that it fully started.
  •  Nutanix AHV platform virtual machine login hangs with a message: "please wait for the group policy client".
  • Once sensor is uninstalled, the issue is no longer present.

Environment

  • CB Response Sensor: 6.1.X - 6.2.1
  • Microsoft Windows: All Supported Versions

Cause

  • TCP Offloading is present on the (real or virtual) NIC.
  • Some examples include Nutanix or any VM where "VirtO" drivers are being used.
  • NIC settings for the vm shows two options that are enabled: (Recv Segment Coalescing (IPv4) AND Recv Segment Coalescing (IPv6).)

Resolution

  • This has been identified as issue: CB-20760, which is expected to be resolved in CB Response Windows Sensor 6.2.2
  • Workaround:
    1.  In an admin command prompt, disable the cbstream driver:  
      sc config cbstream start= disabled
    2. Boot Machine into Safe Mode.
    3. Open Powershell as Administrator and disable RSC:  
      Disable-NetAdapterRsc *
    4. Reboot the system
    5. Open the Network Adapter properties --> Advance tab --> Scroll down to Recv Segment Coalescing (IPv4) and Recv Segment Coalescing (IPv6) should read "Disabled"
    6. In an Admin command prompt, enable Cbstream driver:  
      sc config cbstream= auto
    7. Reboot the system for the changes to take effect.
Powered by Wolken Software