EDR: Why are some processes listed as (unknown)?
search cancel

EDR: Why are some processes listed as (unknown)?

book

Article ID: 290117

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why are some processes listed as (unknown) in the process tree?

Environment

  • EDR( formerly CB Response) Server: All Versions
  • EDR Sensor: All Versions
  • Linux: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions

Resolution

This is a technical limitation of the sensor. Potential causes include:
  • Processes that are already running prior to Sensor startup will be missing ProcessStart data and shows as unknown
  • Sensor sends malformed event messages to server
  • Server purges first segment of long running process after MaxEventStoreDays (pre-6.x sensor only)
  • Server is shutdown while event data is being processed in datastore

Additional Information

  • The 6.3 Windows sensor addresses multiple data integrity issues that cause a running process to appear as unknown
  • Despite the items listed, EDR still typically captures 99.9% of all events that occur
  • However, for the 0.1% dropped, the Console UI renders these as Unknown Processes
Powered by Wolken Software