(Unknown) Process Events In Process Search or Alerts
search cancel

(Unknown) Process Events In Process Search or Alerts

book

Article ID: 288264

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Process search or alert shows a process of "(unknown)"

  • Process appears in search results with the name "(unknown)".
  • The process graph may show the parent as "top".
  • Process start time may be inaccurate. 
  • PID is -1. 

Environment

  • Carbon Black EDR: 7.8.1 or Lower
  • Windows Sensor: 7.4.2 or Lower
  • Linux Sensor: 7.3.1 or Lower

Cause

Common causes for (unknown) processes:

  • Boot level processes that run before the driver is allowed to start.
  • Sensor was not running at the time the process executed. This can be from the sensor service being stopped, newly installed or re-installed. 
  • Missing field in the protobuf structure. 

Resolution

While it unknowns may still exist if the OS does not return enough information from the child to add the info, the recommendation is to upgrade the server and sensor to the latest versions.

If this is triggering many alerts, adding the search parameter of process_name:* and/or parent_name:* to your query will only return results with names. Doing this will not introduce performance issues into the query as these fields are indexed. 

Additional Information

  • Changes have been made to reduce the unknowns through updates. Specifically the 7.9.0 Server along with the 7.4.0 Linux and 7.5.0 Windows sensors corrects more instances where info may be missing from the protobufs structure. 
  • EDR typically captures 99.9% of all events that occur. However, for the 0.1% dropped, the Console UI renders these as Unknown Processes
Powered by Wolken Software