CB Response: Cbdaemon causes high CPU when installed on a NAS
search cancel

CB Response: Cbdaemon causes high CPU when installed on a NAS

book

Article ID: 285387

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

CPU usage increases after installing the Linux Sensor on a NAS mounted file system.

Environment

  • CB Resonse Linux Sensor: All Versions

Cause

This is a known issue with the Response driver.
 

Resolution

The following steps can be used as a workaround:
  1. Stop the daemon: 
    service cbdaemon stop          
service cbdaemon status
  2. Unload the driver: 
    lsmod | grep cbsensor 
modprobe -r cbsensor          
modprobe -r cbsensor (must execute this twice)          
lsmod | grep cbsensor
  3. Install gdb: 
    yum install gdb
  4. Modify the module: 
    cp /lib/modules/`uname -r`/kernel/lib/cbsensor.ko /lib/modules/`uname -r`/kernel/lib/cbsensor.ko.ORIG
gdb -write /lib/modules/`uname -r`/kernel/lib/cbsensor.ko         
(gdb) p /x g_enableHooks         $1 = -1         
(gdb) set {int}&g_enableHooks = 0xFFFFFFBF         
(gdb) p /x g_enableHooks         
(gdb) q
  5. Reload module and restart daemon: 
    service cbdaemon start

Additional Information

While this is a known issue, there is no current timeline of when this will be fully addressed.
Confirm the cbdaemon service has started: 
1. service cbdaemon status
2. lsmod | grep cbsensor

 
Powered by Wolken Software