Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

[Cb Response] Slow Boot Times on Win10 April 2018 Update

[Cb Response] Slow Boot Times on Win10 April 2018 Update

Hello All,

In some instances, Windows 10 machines with the 1803 Build have been experiencing longer boot times. The near-term workaround is to set the driver startup configuration to “auto-delayed.” This should prevent the driver from starting until 2 minutes after startup. Please note, the sensor will not collect events that occur before the driver starts.

The following link shows that this issue also affects computers that do not have the Cb Sensor installed.

https://answers.microsoft.com/en-us/windows/forum/windows_10-update/slow-boot-for-windows-1803/997b3...

We are working aggressively towards a solution that will resolve this issue without altering the startup configuration. Thank you!

Regards,

The Cb Response Team

Labels (1)
Comments

Hi Team ,

Is there an update on this ? its causing an issue across the organization.

Hi Manpreet,

We are working towards a solution to this issue. In the meantime we have a workaround by using the command "sc config carbonblack start=delayed-auto"

The side effect of this temporary change is that the the sensor will miss recording any events that occur before it starts, but this should be in the order of less than a minute or two.

Is this with any/all versions of Cb Response, or just certain versions of the sensor?

Hi,

This would affect all compatible sensors for this version of windows which runs between 5.3.3 6.1.6. We will update the user exchange as soon as we have a resolution to this issue.

Does the latest 1803 cumulative update from June 12, 2018 (https://support.microsoft.com/en-us/help/4284835 ) resolve the problem?

Are both CbR v5.x and v6.x affected?

Hi Axl ,

It is only in CB v6 .

Hi All ,

Recent update , i asked the user to update OS to June June 12, 2018 (https://support.microsoft.com/en-us/help/4284835 )  - no improvement

I upgraded the agent to 6.1.6 v - no improvement.

I hope this information helps.

We too see it on various boxes in our environment, no difference between virtual and physical w10

We believe this issue is due to the Response driver, so customers will actually want to try the following command which delays the driver startup upon reboot, note the extra k: "sc config carbonblackk start= delayed-auto"

Saying disable X, without impact guidance isnt quite nobel.

Also we are waiting for a FIX since April, i'm asking myself right now if CB/CB Response team is testing the product against the technology releases microsoft is providing upfront.

I think none of your customers deserves to be a beta tester, for things that should have raised a red flag during internal testing with Microsoft beta products 

Let me know when new windows sensor version available.

Can we get an update on this issue?  We are still performing tests of Windows v1803 in our environment.  So far this is the only issue that is preventing our deployment.

Update:  This issue will be addressed in the upcoming 6.1.7 Windows sensor release.  It is expected to be available by the end of July (subject to change based on QA/testing). 

Hi nking​, can you provide some more details around what the issue was/is and how it's fixed in the new sensor?

Yes, root cause analysis from Engineering is below:

Events that arrive before the sensor's core driver attaches to the file system volume are added to the sensor's list of running processes. When this happens, the binary hashing fails (because the sensor isn't attached to the volume and can't access the associated binary). However, 'event creation' for intercepted events still block and wait 10 seconds for the hashing to complete. This is especially a problem during startup, because the SYSTEM process repeatedly accesses the registry, and the timeout has to occur multiple times.

Pre-release builds of the 6.1.7 sensor have been verified to address this issue, and boot times return to normal.

Hello All,

The Cb Response Team has worked aggressively to find a solution for the slow boot times in Windows 10 machines with the 1803 Build. This solution will be in the next 6.1.7 windows sensor release. Please expect it to be GA in late July to early August time frame.

Thanks,

The Cb Response Team

Its August now... please provide a more current timeline for the new CbR Sensor 6.1.7 (for Windows) and details on what version the server will need to be at.

[Cb Response] Cloud Update Notification: 6.2.3 Server Release and 6.1.7 Windows Sensor Release

The 6.1.7 windows sensor will be available on August 5, 2018 on Cloud and August 14, 2018 on-prem for GA. 

Your response indicates sensor 6.1.7 for Windows will be available on August 5, 2018 for Cloud yet I don't see that specific version available under the Upgrade Policy. Can Carbon Black confirm the August 5, 2018 date is correct for Cloud based customers or pushed off to a future date? Is there additional steps needed on my end to make version 6.1.7 accessible in my cloud instance?

mquintanar​ the 6.1.7 sensor is deployed with the 6.2.3 server rollout. It sounds like we have not rolled out that server version to your environment yet. Please open a case with Support and we can manually add 6.1.7 to your environment.

More information on the 6.2.3 server rollout to cloud can be found here - [Cb Response] Cloud Update Notification: 6.2.3 Server Release and 6.1.7 Windows Sensor Release

Issue resolved with new sensor version. Thanks Carbon Black team!

Article Information
Author:
Creation Date:
‎06-11-2018
Views:
13638
Contributors