Skip to main content
Red Canary help

Carbon Black EDR 7.2 (formerly CB Response) not able to see Binaries

  • Updated .

Issue

VMware Carbon Black has changed the permissions on the CarbonBlack directory located in the Windows Directory. When the sensor group's Tamper Protection is set to "None" or "Protection", the DACL of the C:\Windows\CarbonBlack directory on the endpoint can be modified.  

Environment

Carbon Black EDR (formerly CB Response) Windows sensor 7.2+

Carbon Black EDR (formerly CB Response) Server 7.4+

Resolution

When the sensor group's Tamper Protection is set to "Protection" the DACL can no longer be changed. The Tamper level setting can also be viewed in the registry, with  settings of 0, 1, and 2, which correspond to None, Detection, and Protection:

  • “TamperLevelRequested” - is set by the server during check-in HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\Config TamperLevelRequested REG_DWORD 0x1
  • “TamperLevelActive” displays the actual tamper level of the endpoint. HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\Config TamperLevelActive REG_DWORD 0x1


Please note that the registry values cannot be changed when the sensor is set to "Protection" ("2" in the registry). The registry can be temporarily changed if the policy is set to "None (0), or "Detection" (1), but would be reset to the policy settings at the next sensor check-in.

In order to determine the sensor version that is currently installed, you can check the version of the core driver at C:\Windows\System32\Drivers\cbk7.sys 

The registry contains information about the sensor version. Based on how the sensor was installed and the architecture of Windows, the locations are as follows -

  • 64-bit Windows .msi installer:HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}\DisplayName
  • 32-bit Windows, .msi installer:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}\DisplayName
  • 64-bit Windows, .exe installer:HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D39D543C-4B68-4FB7-AD24-6B69A226E27}
  • 32-bit Windows, .exe installer:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D39D543C-4B68-4FB7-AD24-6B69A226E27}

 

 

Comments

0 comments

Please sign in to leave a comment.