EDR: Live Response Memdump Zip File is Corrupt
search cancel

EDR: Live Response Memdump Zip File is Corrupt

book

Article ID: 285963

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

The compressed memory dump file is corrupted

Environment

  • EDR Sensor: All Supported
  • Windows: All Supported

Cause

In some cases a third party security product is monitoring the working directory of the memdump command

Resolution

A third party security product exclusion for the working directory solves the corruption issue 
For example:

     C:\Windows\CarbonBlack> memdump C:\Windows\Temp\memdump.dmp
An exclusion for the "C:\Windows\Temp" directory is needed
Powered by Wolken Software