EDR: Returned Process Cmdline Does Not Match Returned Search Value
Article ID: 290353
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Process search includes a cmdline argument that is not returned on the Analysis or Preview panel
- Process document shows multiple cmdline values for process GUID
Environment
- EDR Server: 7.6.x
Cause
Suppressed childproc's cmdline arguments will be saved with the process. Although they do not appear in the UI, they are match on the back-end search
Resolution
- This behavior is currently as designed, but future work to enhance this behavior is tracked with ID CB-39742
- The cmdline values can be retrieved through a process document to confirm if there is a matchÂ
Additional Information
There are issues in 7.6 which prevent viewing suppressed childproc information which will be address in the future via CB-37556
Feedback
Yes
No
Powered by
