Skip to main content
Red Canary help

Troubleshooting endpoints stuck in bypass

  • Updated .

Issue

I am having an issue where multiple endpoints in our VMware Carbon Black Cloud console are reporting as being in Bypass. How can I resolve this issue?

Environment

VMware Carbon Black Cloud

All sensors

Resolution

The various bypass messages that may appear in the VMware Carbon Black Cloud console can be found in the article linked below:

Bypass Reasons

Depending on the circumstances that led to a sensor moving to a bypass state, a reboot may resolve the issue. Please follow the instructions below for more detailed steps that can be taken to remove a sensor out of bypass.

Troubleshooting Windows endpoints stuck in bypass

Note: These instructions assume that there were previous attempts made to modify the cfg.ini file. If no previous attempt to enable RepCLI was ever made, please follow the instructions in the following article: How to Enable RepCLI Authentication on Existing Sensors.

  1. Check to see if the endpoint is running a supported version of the VMware Carbon Black Cloud sensor:

    Windows Operating Systems and Respective Sensors (desktop)
    Windows Operating Systems and Respective Sensors (server)

    If the endpoint is running an unsupported or out of date sensor, please upgrade and reboot the endpoint to see if it returns to a normal state. If this does not resolve the issue, proceed to step 2.

  2. Restore the cfg.ini file back to its original state.
  3. After restoring the original cfg.ini file, reboot the endpoint, if possible.
  4. Check the CBC console to see if the endpoint has come out of bypass after the reboot (give this process about five minutes before it updates in the console).
  5. If the endpoint is still stuck in bypass, then reconfigure the cfg.ini as you've performed previously, but add the AuthenticatedCLIUsers parameter to the bottom of the config file and save the file (if the local Administrator SID does not work, then it is recommended to use a Domain Admin SID; it may also be necessary to reboot the endpoint after saving the changes to the file).
  6. After the config has been saved, open an elevated command prompt and navigate to the cd C:\Program Files\Conferdirectory. 
  7. Execute the following command:
    repcli updateconfig
  8. If this command is successful, then attempt to remove the endpoint from bypass 0
    If the command from step six was unsuccessful, reboot the endpoint and attempt again (only if this was not performed after step 4).

Troubleshooting Linux endpoints stuck in bypass

  1. Verify if Secure Boot is enabled by running the following command on a Linux endpoint that has the VMware Carbon Black Cloud sensor installed:
    bootctl status

    Secure Boot is not supported on the VMware Carbon Black Cloud Linux sensor at this time.
  2. Check to see if the endpoint is running the correct sensor version. Supported sensor versions for the Linux sensor can be found in the article linked below:

    Supported Linux Operating Systems and Respective Sensors
  3. Verify that the appropriate kernel headers have been installed and are active.

    Prerequisites for Linux 4.4+ Kernels for Linux Sensor Versions 2.10+

    Reboot the endpoint after the kernel headers have been applied.

Troubleshooting macOS endpoints stuck in bypass

As previously mentioned, reboot the endpoint to see if it returns to a normal state. If rebooting the endpoint does not work, please follow the steps below:

  1. Ensure that full disk access (FDA) has been granted on endpoints running the VMware Carbon Black Cloud macOS sensor.

    Manually Grant 3.5.1 or later macOS sensors FDA
    Grant 3.5.1 or later macOS sensors FDA via MDM

    To get a list of macOS sensors that do not have FDA granted, log the VMware Carbon Black Cloud console and navigate to Inventory > Endpoints. In the search bar, enter the following query:

    sensorStates:FULL_DISK_ACCESS_NOT_GRANTED

  2. Check to ensure that the installed sensor is supported on the version of macOS that is running on the endpoint.

    Note on endpoints running older versions of macOS:
    • If an endpoint is running macOS 10.15 - 12.2 (Intel or M1), the only compatible sensor version is 3.6.1.10
    • If an endpoint is running macOS 10.14 - 11.6.2 then sensor version 3.5.3.82 can be used

 

Cause

There are a number of reasons that can cause the VMware Carbon Black Cloud sensor to get stuck in bypass:

  • Upgrade process was unable to complete due to a driver or process being locked up by another system process (Linux, macOS, Windows). Rebooting the endpoint may resolve this issue.
  • Secure Boot preventing the kernel module from loading properly (Linux endpoints).
  • Unsupported OS (macOS).
  • Full disk access has not been applied properly (macOS).
  • Master/Golden device in bypass during deployment of clones. Take base device out of bypass and then have clones deployed.