EDR Sensor: Increased disk reads to PVS drive during sign in on Citrix non-persistent VDI
search cancel

EDR Sensor: Increased disk reads to PVS drive during sign in on Citrix non-persistent VDI

book

Article ID: 289884

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

With the EDR sensor installed, Bytes Read to PVS drive increases by several hundred megabytes

Environment

  • EDR Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Citrix non-presistent VDI

Cause

In order to track events, the sensor must perform a hash against any processes during login. 

Resolution

The product is behaving as designed

Additional Information

  • The amount of reads will depend on the number of services that start during login
  • Reports may show large disk reads, but internal investigation of actual network impact should be investigated internally to determine true impact
  • Collection of specific events can be stopped in the sensor group settings, but will result in a lost of visibility
Powered by Wolken Software