EDR: How to reset Live Response
search cancel

EDR: How to reset Live Response

book

Article ID: 292264

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Reset Live Response to resolve usability issues

Environment

  • EDR Server: All Versions
    • Live Response

Resolution

  1. Stop Live Response
    • 7.4 and Above: /usr/share/cb/cbservice cb-liveresponse stop
    • 7.3 and Below: service cb-liveresponse stop
  2. mv /var/cb/data/live-response/sessions /var/cb/data/live-response/sessions.bak.$(date +%Y-%m-%d)
  3. mkdir /var/cb/data/live-response/sessions
  4. chown cb.cb /var/cb/data/live-response/sessions
  5. chmod 700 /var/cb/data/live-response/sessions
  6. Start Live Response
    • 7.4 and Above: /usr/share/cb/cbservice cb-liveresponse start
    • 7.3 and Below: service cb-liveresponse start
  • These steps can be ran as a single line, if running as a sudo user:
    • 7.4 and Above:
/usr/share/cb/cbservice cb-liveresponse stop && mv /var/cb/data/live-response/sessions /var/cb/data/live-response/sessions.bak.$(date +%Y-%m-%d) && mkdir /var/cb/data/live-response/sessions && chown cb.cb /var/cb/data/live-response/sessions && chmod 700 /var/cb/data/live-response/sessions && /usr/share/cb/cbservice cb-liveresponse start
  • 7.3 and Below: 
cbservice cb-liveresponse stop && mv /var/cb/data/live-response/sessions /var/cb/data/live-response/sessions.bak.$(date +%Y-%m-%d) && mkdir /var/cb/data/live-response/sessions && chown cb.cb /var/cb/data/live-response/sessions && chmod 700 /var/cb/data/live-response/sessions && cbservice cb-liveresponse start


 

Additional Information

Once performance is confirmed the sessions.bak file can be deleted
Powered by Wolken Software