EDR: Process search returns non-existing cmdline
search cancel

EDR: Process search returns non-existing cmdline

book

Article ID: 288008

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

  • Search returns a process not matching the cmdline
  • bit9advancedthreats reports processes with cmdline containing "echo"

Environment

  • Carbon Black Response Console: All Versions

Cause

Suppression is enabled

Resolution

This is expected behavior when retention (suppression) level is set in the sensor groups. Setting the retention setting to 'minimal' will allows the child processes to have their own process document. 

Additional Information

  • Setting to minimal retention will reduce the amount of event retention the server will be able to keep. Expect 15 to 20% reduction in overall retention as an average. 
  • The retention setting suppresses children that only do modloads (recommended) or modloads and crossprocs (maximum) and place the cmdline into the parent document. This allows the child to still be searched by the command line, but it does not have it's own document to search by process name or view the modloads/crossprocs. 
Powered by Wolken Software