EDR Sensor: high memory utilization by cb.exe
Article ID: 290294
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
High memory usage of the sensor's user-mode process: cb.exe.
Environment
- EDR Sensor: 6.2.4 - 7.1.1
- Microsoft Windows: All Supported Versions
Cause
This occurs when the sensor is unable to register with the server after installation, usually due to the sensor being in an airgapped environment or a firewall rule preventing sensor to server communications - CB-32827
Resolution
- Upgrade to sensor version 7.2 or higher
- If unable to upgrade, the issue can be avoided by only installing the sensor on endpoints that are able to communicate with the server.
Additional Information
After successful registration and an event being sent from sensor to server, the sensor will cache events to the local filesystem if server communications are interrupted in the future. The issue only occurs when the sensor never registers with the server.
Feedback
Yes
No
Powered by
