Endpoint Standard: Does the sensor suppress network events for UDP port 137/138 netbios traffic?
Article ID: 291945
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Confirmed the presence of UDP port 137/138 netbios traffic using a third party network tool, but this network traffic is not being generated in the PSC Console
Environment
- Endpoint Standard (was CB Defense): All Versions
- Carbon Black Cloud Sensor: All Supported Versions
Resolution
Some netbios traffic may not be displayed in the Console due to internal suppression logic.
Additional Information
- If the process hash, operation type, success/failure, port, and remote address are the same, the sensor will drop subsequent network activity event messages to avoid crowding the alert and investigate pages with high frequency, low threat messages from crowding the sensor message cues and risk dropping more significant events.
- Since the system process commonly sends high frequency UDP messages to multiple remote addresses on the 137/138 port set for netbios traffic, the remote address component is removed from the message suppression calculation for those events.
Feedback
Yes
No
Powered by
