Carbon Black Cloud: Unable to save the Windows Sensor logs on 3.6 and above
search cancel

Carbon Black Cloud: Unable to save the Windows Sensor logs on 3.6 and above

book

Article ID: 292581

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Observe the following error when selecting C:\ProgramData\CarbonBlack
You don't currently have permission to access this folder.
Click Continue to permanently get access to this folder.
  • When Continue is selected, observe a new error
You have been denied permission to access this folder.
To gain access to this folder you will need to use the security tab.
  • If the security tab is selected and the Advanced button is selected to change owner, the owner cannot be displayed
Name: C:\ProgramData\CarbonBlack
Owner: Unable to display current owner
  • If Change is selected, observe that System is owner and cannot be changed
Name: C:\ProgramData\CarbonBlack
Owner: System

Environment

  • Carbon Black Cloud Windows Sensor: 3.6 and Higher
  • Microsoft Windows: All Supported Versions

Cause

Permission to C:\ProgramData\CarbonBlack is denied and the owner cannot be changed from System due to Carbon Black tamper protection

Resolution

  1. Disable Sensor Tamper Protection and Enforcement by Enabling Bypass. There are several ways this can be accomplished. See https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-How-to-Get-Started-With-Bypass-Mode/ta-p/40693
  2. If Bypass is not available or possible, boot the device into Windows Safe Mode and attempt to manually collect sensor logs by zipping the following directory: C:\ProgramData\CarbonBlack 
Powered by Wolken Software