Carbon Black Cloud: Windows DNS server experiencing high CPU
book
Article ID: 285913
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Show More
Show Less
Issue/Introduction
High CPU occurring when the CBC Sensor is in Active Mode. CPU returns to normal when the sensor is placed in Bypass Mode. A Process Monitor summary will show high number of network connections for the process name "dns.exe" CBC sensor's confer.log may show thousands of network connection failures similar to this:
02/16/24 15:21:15.590: 236c ERROR PscEventDefenseHelper::LogEventCollectionFailure:334
CBEVENT:
Pid[4-133466600456556752-0] (SYSTEM)
ProcessTags(Cb:Sensor:ProcessClassified,Cb:Sensor:ProcessDiscovered)
Op:NET_SERVER
TargetType:NETWORK
(network)
was:Allow
by policy:FE7B920A-4A43-48A4-97D6-485DDE059A90 rev:150 rule:D51B70DC-77FC-4857-94E4-21916347E59B (Report network NET_SERVER NET_CLIENT (TCP )operations only)
Reason RptNetOp failed to send event
Environment
Carbon Black Cloud Windows Sensor: All versions Carbon Black Cloud Console: All versions Microsoft Windows DNS server: All versions
Cause
dns.exe is generating many thousands of events.
Resolution
Consider implementing the following policy exclusion: - edit the policy - Go to the sensors tab, then the bottom of the page and - Add the reporting exclusion for "C:\Windows\System32\dns.exe". - Allow at least 15 minutes for these new rules to be downloaded to the affected endpoints and monitor.
Feedback
thumb_up
Yes
thumb_down
No