EDR: Crossproc Appears to be Suppressed When Using Recommended Retention
search cancel

EDR: Crossproc Appears to be Suppressed When Using Recommended Retention

book

Article ID: 287419

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Per the CB Response User Guide :
    • Recommended Retention – The processes that contain
      only modload events are available under the parent
      processes and are searchable as child processes. You can
      search metadata, such as command line and user context,
      under the parent process.
  • Based on the 'only modload events' description above, when setting retention as 'Recommended', why are we seeing processes being suppressed that contain a crossproc?

Environment

  • EDR Server (formerly CB Response): All Supported Versions

Resolution

  • In our code we will suppress a process if 1) suppression is set to medium and 2) it's considered an 'eventless' process. If a parent launches a process with a crossproc, but that crossproc will not unsuppress the target of the crossproc event.  If parent.exe can spawn child.exe and so long as child.exe doesn't perform any file operations or launch any subprocesses of it's own, it will remain suppressed.
Powered by Wolken Software