• When running some operations with the Carbon Black Cloud sensor running the System CPU usage will spike
• Procmon shows System writing to C:\ProgramData\CarbonBlack\Logs\CbKernelTrace.etl
• CbKernelTrace.etl shows the message 'Unable to parse NAME of the DNS message'
• Putting the sensor into bypass prevents the System CPU usage from spiking

• Carbon Black Cloud: All Supported Versions
• Carbon Black Cloud Windows Sensor: 4.x

The sensor is detecting an invalid DNS header causing it to write to this log

• Future sensors past 4.1 will no longer need to write this data preventing the issue
• Disabling XDR in the policy will also prevent the parsing of this data
• This can also be disabled on an individual sensor by changing the configprop MicroidsParseDNS to MicroidsParseDNS=0
• Disabling MicroidsParseDNS will prevent the sensor for analyzing the DNS data on the individual sensor