EDR Sensor: high memory utilization by cb.exe
search cancel

EDR Sensor: high memory utilization by cb.exe


Article ID: 290294


Updated On:


Carbon Black EDR (formerly Cb Response)


High memory usage of the sensor's user-mode process: cb.exe.


  • EDR Sensor: 6.2.4 - 7.1.1
  • Microsoft Windows: All Supported Versions


This occurs when the sensor is unable to register with the server after installation, usually due to the sensor being in an airgapped environment or a firewall rule preventing sensor to server communications - CB-32827


  • Upgrade to sensor version 7.2 or higher
  • If unable to upgrade, the issue can be avoided by only installing the sensor on endpoints that are able to communicate with the server.

Additional Information

After successful registration and an event being sent from sensor to server, the sensor will cache events to the local filesystem if server communications are interrupted in the future. The issue only occurs when the sensor never registers with the server.