Why Does the Carbon Black Cloud Sensor Run as System / Root?
search cancel

Why Does the Carbon Black Cloud Sensor Run as System / Root?

book

Article ID: 286019

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Why does the Carbon Black sensor run as system / root?

Environment

  • Carbon Black Cloud Sensor
  • Linux: All Supported Versions
  • macOS: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

The sensor needs to run as system / root so it can:

  • Install, start, stop and communicate with its kernel driver / system extension
  • Read arbitrary files on the file system in order to produce hashes for them
  • Be able to upgrade itself (e.g. run the installer that in turn must be root)
  • Depending on the specific query may need to access resources available only to root (Audit and Remediation/Live Response)
  • Terminate bad processes (Enterprise EDR hashbanning, Endpoint Standard policy actions)
  • Running as root affects calculations done by the OOM killer (to reduce the chance of killing a root process) and access to reserved memory.
Powered by Wolken Software