Child Process with Crossproc Appears to be Suppressed When Using Recommended Retention
search cancel

Child Process with Crossproc Appears to be Suppressed When Using Recommended Retention

book

Article ID: 287419

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

When the sensor group retention setting is set to "Recommended", a process that contains a crossproc is being suppressed and seen when retention is set to "Minimal". 

Environment

  • Carbon Black EDR: All Supported Versions

Cause

Child is not the one generating the crossproc event. 

Resolution

The console will include the crossproc from the parent to the child in the childproc events also. A child process will not be suppressed if its the one generating a crossproc of it's own. The key to reviewing crossprocs are the indicators of TO and FROM in the crossproc event.