Carbon Black Cloud: Windows DNS server experiencing high CPU
Article ID: 285913
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- High CPU occurring when the CBC Sensor is in Active Mode.
- CPU returns to normal when the sensor is placed in Bypass Mode.
- A Process Monitor summary will show high number of network connections for the process name "dns.exe"
- CBC sensor's confer.log may show thousands of network connection failures similar to this:
02/16/24 15:21:15.590: 236c ERROR PscEventDefenseHelper::LogEventCollectionFailure:334 CBEVENT: Pid[4-133466600456556752-0] (SYSTEM) ProcessTags(Cb:Sensor:ProcessClassified,Cb:Sensor:ProcessDiscovered) Op:NET_SERVER TargetType:NETWORK (network) was:Allow by policy:FE7B920A-4A43-48A4-97D6-485DDE059A90 rev:150 rule:D51B70DC-77FC-4857-94E4-21916347E59B (Report network NET_SERVER NET_CLIENT (TCP )operations only) Reason RptNetOp failed to send event
Environment
- Carbon Black Cloud Windows Sensor: All versions
- Carbon Black Cloud Console: All versions
- Microsoft Windows DNS server: All versions
Cause
dns.exe is generating many thousands of events.
Resolution
Consider implementing the following policy exclusion:
- edit the policy
- Go to the sensors tab, then the bottom of the page and
- Add the reporting exclusion for "C:\Windows\System32\dns.exe".
- Allow at least 15 minutes for these new rules to be downloaded to the affected endpoints and monitor.
- edit the policy
- Go to the sensors tab, then the bottom of the page and
- Add the reporting exclusion for "C:\Windows\System32\dns.exe".
- Allow at least 15 minutes for these new rules to be downloaded to the affected endpoints and monitor.
Feedback
Yes
No
Powered by
