Linux Sensor Sends Mixed Data When Exec-Exec is Performed by a Process

search cancel

Linux Sensor Sends Mixed Data When Exec-Exec is Performed by a Process

book

Article ID: 285707

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

When selecting a process search result or alert, a different process name is displayed in the process analysis page.

Environment

Carbon Black EDR Sensor: 7.1.x and Lower
Linux

Cause

When an exec-exec is performed, there is a chance the same PID is used. The sensor utilizes the PID as part of the unique id and includes the newly created childproc as part of the parent process. This creates mixed data in the Solr document and causes different process names to be seen in the console for the same process analysis.

Resolution

Upgrade to the 7.2.0 or higher Linux sensor

Additional Information

7.2.0 Linux Sensor Release Notes

Feedback

thumb_up Yes

thumb_down No