How to Troubleshoot Sensor Performance Issues
search cancel

How to Troubleshoot Sensor Performance Issues

book

Article ID: 284922

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How to troubleshoot sensor performance issues

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Apple MacOS: All Supported Versions
  • Linux: All Supported Versions

Resolution

  1. Check the knowledge base to confirm if this is a known issue. However, please be sure to login first as not all articles are publicly available.
  2. Put the sensor in bypass to confirm if the issue persists when policy enforcement is disabled. If not, proceed to step 3. If yes, proceed to step 7.
  3. If there are other security products installed, ensure that that the CBC Sensor has been excluded in all third party security software and that exclusions have been added in the CBC Policy for the third party security software installed on the device. If not, proceed to step 4.
  4. If Endpoint Standard is enabled, place the device in a test policy and disable Endpoint Standard Reporting and Enforcement using Policy Rules to confirm if it's possible that a permission rule might workaround or resolve the issue.
    • If disabling Endpoint Standard resolves the issue, proceed to step 5.
    • If disabling Endpoint Standard does not resolve the issue or if Endpoint Standard is disabled proceed to step 6.
  5. Create a path based Permission rule that allows the relevant application paths to run. If this issue is happening due to an interoperability issue between VMware Carbon Black and the Operating System / Third Party Software, then likely an API Bypass or Full Bypass rule will be required. 
  6. If any relevant hash(es) do not have a definite reputation (Anything other than NOT_LISTED or UNKNOWN) or a trusted reputation then the hashes may need to be added to the CBC Company Approved List if your organization determines that the hash(s) should be trusted. If not or if this does not resolve the issue, go to step 7.
  7. Uninstall the Sensor to confirm if the issue persists when the sensor is uninstalled. If yes, then likely this is not a CB issue. If not, please create a Support Case with the following details:

Information Required for Performance Support Case 

  1. Define the problem
    1. Is there high disk usage / CPU / Memory, device crash, processes hanging?
      • If processes are handing, is it just a few processes or the whole system, e.g. general system sluggishness?
    2. Would it be possible to provide a video recording demonstrating the issue? 
  2. Background information
    • The Device ID or Name of the impacted device.
    • When the issue started occurring and if there were any changes that led up to it
    • Any Applicable application names and the paths/processes involved when the impact occurs.
    • Are there other 3rd party security applications installed? Have exclusions been configured?
  3. Are there other resource issues besides CPU / Memory? What is the overall resource usage? Use the utility applicable for your OS 
    • Windows: Resource Monitor Overview tab 
    • MacOS: Activity Monitor 
    • Linux: Use the ps command. Check the relevant documentation for your specific OS for usage instructions
      • This tool can be used to get CPU performance logging for Linux
  4. Are there any specific behaviors or steps that trigger the issue? (For example, launching an application, selecting a tab / link / process, executing a specific function, etc...?)
    • Windows: If the operation can be performed from command line, run from powershell shell and use measure-command utility to get precise times. 
  5. What is the expected behavior vs the current behavior? 
  6. When did the performance issue start? What changes occurred?
    1. New sensor install or upgrade?
    2. Windows update?
    3. Other security software install or updated?
  7. Does this issue happen when sensor is in bypass, uninstalled, when relevant applications are allowed in a permission rule or added to the Company Approved List?
  8. Collect sensor and performance logs: