Skip to main content
Red Canary help

Troubleshooting Endpoints Stuck in Bypass

  • Updated .

Issue

User is experiencing issues where they have endpoints that are reporting a status of Sensor Bypass (Admin Action).

Environment

VMware Carbon Black Cloud

All sensors

Resolution

Troubleshooting Windows endpoints stuck in bypass

Note: These instructions assume that there were previous attempts made to modify the cfg.ini file. If no previous attempt to enable RepCLI was ever made, please follow the instructions in the following article: How to Enable RepCLI Authentication on Existing Sensors.

  1. Restore the cfg.ini file back to its original state.
  2. After restoring the original cfg.ini file, reboot the endpoint, if possible.
  3. Check the CBC console to see if the endpoint has come out of bypass after the reboot (give this process about five minutes before it updates in the console).
  4. If the endpoint is still stuck in bypass, then reconfigure the cfg.ini as you've performed previously, but add the AuthenticatedCLIUsers parameter to the bottom of the config file and save the file (if the local Administrator SID does not work, then it is recommended to use a Domain Admin SID; it may also be necessary to reboot the endpoint after saving the changes to the file).
  5. After the config has been saved, open an elevated command prompt and navigate to the C:\Program Files\Confer directory
    cd C:\Program Files\Confer
  6. Execute the following command:
    repcli updateconfig
  7. If this command is successful, then attempt to remove the endpoint from bypass:
    bypass 0
    If the command from step six was unsuccessful, reboot the endpoint and attempt again (only if this was not performed after step 4).

Troubleshooting Linux endpoints stuck in bypass

Verify if Secure Boot is enabled by running the following command on a Linux endpoint that has the VMware Carbon Black Cloud sensor installed:
bootctl status

Secure Boot is not supported on the VMware Carbon Black Cloud Linux sensor at this time.

Troubleshooting macOS endpoints stuck in bypass

Ensure that full disk access has been applied to endpoints running the VMware Carbon Black Cloud macOS sensor.

Manually Grant 3.5.1 or later macOS sensors FDA

Grant 3.5.1 or later macOS sensors FDA via MDM

Also check to ensure that the installed sensor is supported on the version of macOS that is running on the endpoint.

  • If an endpoint is running macOS 10.15 - 12.2 (Intel or M1), the only compatible sensor version is 3.6.1.10
  • If an endpoint is running macOS 10.14 - 11.6.2 then sensor version 3.5.3.82 can be used

There are cases where rebooting the endpoint may fix this issue.

Cause

There are a number of reasons that can cause the VMware Carbon Black Cloud sensor to get stuck in bypass:

  • Upgrade process was unable to complete due to a sensor driver or process being locked up by another system process (Linux, macOS, Windows). Rebooting the endpoint may resolve this issue.
  • Secure Boot preventing the kernel module from loading properly (Linux endpoints).
  • Unsupported OS (macOS).
  • Full disk access has not been applied properly (macOS).
  • Master/Golden device in bypass during deployment of clones. Take base device out of bypass and then have clones deployed.