EDR: Clicking on a process links to the wrong process analysis page due to duplicated PID
search cancel

EDR: Clicking on a process links to the wrong process analysis page due to duplicated PID

book

Article ID: 288105

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • When clicking a process in the Process Analysis page, the resulting information is for an entirely different process
  • Alerts are for one process, but Process Analysis shows another process

Environment

  • EDR Console: 6.x and Higher (formerly CB Response)
  • EDR Windows Sensor: 6.x
  • Microsoft Windows: All Supported Versions

Cause

Duplicate PID's being re-used by the Windows OS.

Resolution

Please upgrade to the 7.0.0 or newer sensor version

Additional Information

  • CB Response uses the PID as a unique identifier for each incoming process. If a second process is ingested with the same PID, the older record is overwritten. For this reason, clicking on a process could potentially link to a different, newer process that happens to share the same PID.
  • 7.0.0 Windows sensor version introduces improved PID tracking. 
Powered by Wolken Software