What should I do if I observe high CPU usage on a Windows endpoint?
High CPU usage by the Carbon Black Sensor (cb.exe) might occur on various types of servers, such as domain controllers, DHCP/DNS servers, Exchange servers, or application servers requiring extensive lookups. You can verify this behavior by checking the Task Manager.
Resolution: To mitigate this issue, add the following registry entry and restart the server:
[HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config]
"DisableNetConnNameResolution"=dword:00000001
What steps should I take if the endpoint does not show up in Red Canary or my VMware Carbon Black EDR instance after installing the sensor?
Troubleshooting Steps:
-
Verify Service Status:
- Ensure that
cb.exe
is running and the "Carbon Black Sensor" service is listed as "Running" in the Services console.
- Ensure that
-
Check Network Connectivity:
- Confirm there are no firewalls, web filters, or proxies blocking communication to
https://<subdomain>-cb.my.redcanary.co:443
. - DNS resolution should be functioning correctly.
- Confirm there are no firewalls, web filters, or proxies blocking communication to
-
Browser Test:
- Visit the URL above from the non-reporting system. You should reach a Cb login screen after bypassing any SSL certificate warnings.
-
Reboot:
- If connectivity issues persist, try rebooting the system if feasible. This is especially relevant for older systems like Windows XP/2003, where a reboot post-installation might be necessary.
How can I resolve duplicate sensor IDs on a Windows system?
To resolve a duplicate sensor ID without reinstalling:
- Open Services and stop the "Carbon Black Sensor" service.
- Open the Registry Editor (
regedit
). - Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config
. - Set the
SensorID
value to0
. - Restart the "Carbon Black Sensor" service.
What should I do if the Carbon Black Sensor is not listed in the Programs and Features list?
This issue can be due to a corrupted sensor installation. The solution is to uninstall and then reinstall the sensor using a fresh installer package from the Carbon Black EDR console.
Steps:
- Uninstall the sensor following instructions specific to corrupted sensor removal.
- Download a new sensor installer from the Carbon Black EDR console.
- Reinstall the sensor and reboot the system.
How can I restart the VMware Carbon Black EDR sensor?
If you need to manually restart the Carbon Black EDR sensor, follow the steps for your operating system perĀ How to Restart the VMware CB EDR Sensor.
Networking Requirements for VMware Carbon Black
Ensure your environment meets all network requirements for proper sensor communication. Detailed documentation on network requirements and allowlist domains can be found in VMware's Operating Environment Requirements.
Comments
0 comments
Please sign in to leave a comment.