CB PSC: Alert Notifications Delayed From A Single Machine
search cancel

CB PSC: Alert Notifications Delayed From A Single Machine

book

Article ID: 288590

calendar_today

Updated On: 06-28-2019

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Alert notifications delayed from a single machine while other machines within the environment are alerting without any delays.

Environment

  • CB Defense PSC Sensor: 3.2.1.51 and higher
  • Microsoft Windows: All supported versions
  • MacOS: All supported versions

Cause

There are a several reasons why this could occur: 
  1. The system did not have a network connection at the time of the event.
  2. The event occurred right before a system shutdown and before the sensor was able to finish uploading event data. 
  3. When running a background scan or a large backup job on a file server with thousands of files being scanned some alerts may be slightly delayed as the event data is being processed.

Resolution

For systems that did not have a network connection or events were not uploaded before the system was shutdown:
  • Alert and collected event data will be uploaded to the console when connectivity has been restored and will require some processing time before alerts can be generated.
  • Checking the Event Time Line of the system in question will show a gap if the system was offline.
File Servers are uniquely impacted by scanner settings as performance and duration of a scan is a function of processing power, file sizes and counts.
  • Enabling Background Scan on file servers should be evaluated carefully.
  • On-Access File Scan can also be impacted by backup applications. We recommend evaluating a vendor's AV scanning guidelines.
Powered by Wolken Software