EDR: Excessive Event Loss at System Reboot
Article ID: 285953
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- An EDR Windows Sensor is showing "Excessive Event Loss" in the web console
- The message disappears shortly after reboot
Environment
- EDR Sensor: All Versions
- Microsoft Windows: All Supported Versions
Cause
The sensor driver event queue is being filled by a large number of Windows startup events before the sensor service starts
Resolution
- Make sure that AV exclusions are in place EDR: Which Sensor directories need exclusion from 3rd party anti-virus scans?
- After a couple of check-ins from the sensors the message will go away
Additional Information
- Kernel Queue is hard coded to 12k for all OS's. By considering physical memory size on the box this value can be higher, resulting in the kernel not dropping events.
- At start, the kernel queue caches events before the user level service can start
- Excessive event loss can also be seen
- If event types have been disabled in the sensor group
- If the sensor service is not running at all. Run sc query carbonblack in cmd to confirm
Feedback
Yes
No
Powered by
