EDR: Linux Sensor allocates large amount of RAM and/or core dumps.
search cancel

EDR: Linux Sensor allocates large amount of RAM and/or core dumps.

book

Article ID: 288255

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Sensor allocates large amounts of RAM.
  • Sensor core dumps.
  • Running the evl_manager by itself generates an error:
# /usr/sbin/cb_ebpftool/evl_manager
/usr/sbin/cb_ebpftool/evl_manager: error while loading shared libraries: libtinfo.so.5: cannot open shared object file: No such file or directory
  • ldd command shows an error:
ldd /usr/sbin/cb_ebpftool/evl_manager
libtinfo.so.5 => not found


 

Environment

  • EDR Linux Sensor: 6.x and 7.0.0, 7.0.1, 7.0.2
  • RHEL 8 with Kernel version 4.4 and greater
  • CENTOS 8 with Kernel version 4.4 and greater

Cause

This is issue "CB-33825".

Resolution

CB-33825 is slated to be fixed in the 7.0.3 sensor and will address required missing OS packages either by static linking or documentation stating the required prerequisites. The current workaround is to install the missing packages.

Additional Information

The Linux sensor uses eBDF for event forwarding for any OS with Kernel version >= 4.4.
Powered by Wolken Software