Initial Steps

Verify that:

• The endpoint is using a supported and compatible Agent version.
• Agent Exclusions are present for any installed third-party security applications (e.g. antivirus, firewall, real-time scanner, vulnerability scanner, etc.).
• Uninstalling the Agent removes the performance impact. If the problem does not persist after uninstall, it is not related to Carbon Black.
• Upgrading to the latest available agent version doesn't resolve the issue

Isolate the Affected Component

Navigate to Settings > General. Once on this page, review the list of enabled products for your environment. Specifically, check whether you are running:

• Endpoint Standard

• Enterprise EDR

• Both (Endpoint Standard and Enterprise EDR)
  
  

Endpoint Standard Only Customers:

1. Login to the Carbon Black Cloud Console
2. Navigate to the Investigate Page and note any observations that occured during the time of impact.
3. Create a test policy and confirm if creating a NGAV Reporting and Sensor Operations Exclusions under Enforce > Policies > Sensor Tab for the affected application(s) resolves the issue. If there is no apparent application causing the behavior, proceed to the "If the issue persists" section of this article.

Enterprise EDR Only Customers:

1. Login to the Carbon Black Cloud Console
2. Navigate to the Investigate Page and note which applications are creating events during the time of impact.
3. Create a test policy and confirm if creating a Event Reporting and Sensor Operations Exclusions under Enforce > Policies > Sensor Tab for the affected application(s) resolves the issue. If there is no apparent application causing the behavior, proceed to the "If the issue persists" section of this article.

Endpoint Standard and Enterprise EDR Customers:

1. Create a test policy
2. Confirm if creating an NGAV Reporting and Sensor Operations Exclusion of ** (exclude everything) resolves the issue.
   • If there is a positive impact, then that indicates that the Endpoint Standard part of the product is the component having the impact.
     
     • Remove the ** rule and replace it with a targeted exclusion of the affected application. If unknown, proceed to the "If the issue persists" section of this article.
   • If there is not a positive impact, remove the rule and proceed to step 2
3. Confirm if creating an Event Reporting and Sensor Operations Exclusions of ** (exclude everything) resolves the issue.
   • If there is a positive impact, then that indicates that the Enterprise EDR part of the product is the component having the impact
     • Remove the ** rule and replace it with a targeted exclusion of the affected application. If unknown, proceed to the "If the issue persists" section of this article.
   • If there is not a positive impact, remove the rule and proceed to "If the issue persists"

If the issue persists

Open a 'Technical' Support Case and provide the following:

1. Definition of the problem:
   • What is the expected behavior vs the current behavior? 
     • Is there high disk usage / CPU / Memory, device crash, "hanging" of a specific application?
   • Any Applicable application names and the paths/processes involved when the impact occurs.
   • Are there any specific behaviors or steps that trigger the issue? (For example, launching an application, selecting a tab / link / process, executing a specific function, etc...?)
2. Background information
   • When did the performance issue start? What changes occurred? Examples:
     • An application was updated
     • A Windows update occured
     • After X date
     • After the initial agent install
     • After upgrading the agent
3. A list of any steps that were taken as part of troubleshooting
4. Sensor Performance Logs