Does the EDR Sensor Collect Events from cb.exe?
search cancel

Does the EDR Sensor Collect Events from cb.exe?

book

Article ID: 373416

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Does the sensors user process cb.exe also collect events for itself? 

Environment

  • Carbon Black EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

The only events that are collected for the cb.exe user process are netconns and childprocs by default.

To collect all events from the cb.exe process:

  1. Open regedit
  2. Go to hklm/software/carbonblack/config
  3. Edit the CollectSensorOperations config (DWORD) and set it to 1
  4. Restart sensor services

Additional Information

  • There are no configurations settings in the console to set this.
  • Tracking of cb.exe process can create additional noise and potentially reduce retention.