CB Response: Why is there still performance impact when the Sensor service is stopped on a Windows endpoint?
search cancel

CB Response: Why is there still performance impact when the Sensor service is stopped on a Windows endpoint?

book

Article ID: 289072

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why is there still performance impact when the Sensor service is stopped on a Windows endpoint?

Environment

  • CB Response Server: All Versions
  • CB Response Sensor: All Versions
  • Microsoft Windows OS: All Supported Versions

Resolution

If the sensor service is stopped, but the CB Response driver (carbonblackk) is still loaded in the filter drivers, there is still monitoring and data recording happening on the system.

Additional Information

  • This is expected behavior. A process event is collected by the kernel driver whenever a module (e.g., a .dll) loads, a network connection is established, a process executes, the registry is modified, or a file is written to. The sensor also collects metadata appropriate to the event (e.g.: the user context, the MD5 hash of any binaries, and the actual binary if it has not been seen before.)
  • Just because the sensor service is stopped does not mean that the sensor is disabled. The driver must be unloaded for all CB Response sensor impact to cease. 
Powered by Wolken Software