• Sensor's cb.exe process spiked to high cpu/memory usage.
• Significant amount of CPU time and memory is taken up by attempting to resolve the IP address by looking at the OS DNS cache.

• EDR: 6.x -7.x
• EDR Sensor: 5.x - 7.1
• Microsoft Windows: All Supported Versions
• High-traffic servers (​Domain Controllers, DHCP/DNS servers)

• Upgrade 7.1.1-win sensor or higher 
• As a workaround until upgrade to 7.1.1-win is possible

1. Upgrade to 6.1.4-win sensor or greater
2. ​Add the following registry key

[HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config] "DisableNetConnNameResolution"=dword:00000001

• For large deployment you can script the change using reg add.

reg add hklm\software\carbonblack\config /v DisableNetConnNameResolution /t REG_DWORD /d 0x00000001

• For new installations, open sensorsettings.ini found in the install package and add the following parameter to the bottom

DisableNetConnNameResolution=1

3. Restart the sensor service

• Customers have observed that the Windows sensor can report high CPU utilization by the EDR Sensor service (‘cb.exe’) on machines with a continuously large number of network connections (e.g., DHCP/DNS servers, Domain Controllers, etc.). To help alleviate the high CPU utilization without having to disable collection of network events, the Windows sensor can be configured to disable DNS name resolution in data collection for network connection events
• The required registry key for disabling name resolution on netconn events does not exist on the 6.1.4 sensor by default. It has to be manually created in order to enable this feature.
• A full Windows reboot is required after adding or modifying the registry key setting.