Issue
I have recently upgraded the operating system on my endpoint. The sensor is no longer checking into the server. I have uninstalled and reinstalled the sensor and it has yet to check in. How can I fix this issue?
Environment
VMware Carbon Black EDR Windows sensor
Resolution
From the VMware EDR: How to uninstall a corrupt sensor article:
- Boot in Safe Mode
- Open Registry and delete the following:
- HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config
- HKEY_CLASSES_ROOT\Installer\Products\<Product Code of CarbonBlack Sensor>
- Since the 'Product Code' is uniquely assigned by Windows, the most efficient way of finding the 'Product Code' mentioned above would be:
- With the Registry open, right click HKEY_CLASSES_ROOT, then click 'Find'
- Type 'carbonblack sensor', then click 'Find Next'
- A result should be found in the relative path above.
- Since the 'Product Code' is uniquely assigned by Windows, the most efficient way of finding the 'Product Code' mentioned above would be:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CarbonBlack
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carbonblackk
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cbstream
- Open appwiz.cpl and select Cb Enterprise Response Sensor
- It will prompt, that the application is not present anymore and to which you can delete.
- Open services.msc and select Carbon Black Sensor
- It will prompt it does not exist, to delete this stale entry open cmd as admin and type the following.
- sc delete CarbonBlack
- Reboot Machine.
Cause
The sensor installation was corrupted. Booting into Safe Mode allows for complete removal because it prevents system services from attaching to residual sensor files that may be present after uninstallation.
Comments
0 comments
Please sign in to leave a comment.