Zombie Processes Created by Linux Sensor
Article ID: 290828
Updated On:
Products
Carbon Black Cloud Managed Detection and Response
Carbon Black Cloud Workload
Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Carbon Black Cloud Managed Detection (formerly Cb Threatsight)
Carbon Black Cloud Prevention
Issue/Introduction
- Zombie processes created by the cbagentd
-
ps -ef | grep -i ECStateEngine root 2125 1864 0 Dec15 ? 00:00:00 [ECStateEngine] <defunct> root 3682 1864 0 09:19 ? 00:00:00 [ECStateEngine] <defunct> root 7999 1864 0 Dec19 ? 00:00:00 [ECStateEngine] <defunct> root 8056 1864 0 Dec19 ? 00:00:00 [ECStateEngine] <defunct>
-
Environment
- Carbon Black Cloud Linux Sensor: All Supported Versions
- Linux: All Supported Versions
Cause
- The sensor keeps restarting the event_collector which is leading to the orphaned zombie processes
- This has been seen when running unsupported versions of the sensor for the version of Linux it's installed on
Resolution
- Confirm that the sensor version is supported for the version of Linux here and upgrade if needed
- For older sensors 2.14.1 had improvements over previous versions when installed on a supported OS version
Additional Information
To check and verify for zombie processes are present, run the command below in terminal
ps -ef | grep defunctOutput should look similar to
ps -ef | grep defunct root 489 30703 0 Nov15 ? 00:00:00 [ECStateEngine] <defunct> root 526 30703 0 Nov15 ? 00:00:00 [ECStateEngine] <defunct> root 535 30703 0 Nov15 ? 00:00:00 [ECStateEngine] <defunct> root 565 30703 0 Nov15 ? 00:00:00 [ECStateEngine] <defunct> root 1129 30486 0 Nov07 ? 00:00:00 [nsrexecd] <defunct>
Feedback
Yes
No
Powered by
