Environment
- Carbon Black Cloud: All Sensors version 3.2 and above
- Carbon Black Cloud Console:
- Microsoft Windows 10
- Microsoft Windows Server 2012
Symptoms
After installing the Carbon Black Cloud sensor, navigating to the endpoints page shows an inactive or different user in the entry than the current user or the user who installed the sensor.
Cause
Due to how the user information is evaluated at sensor install time, a user that may be cached on the system from a prior login will be displayed in the user field.
Resolution
- This is a known limitation of the product.
- Engineers are currently planning work to improve this functionality in a future release of the sensor and back end.
- One possible workaround to this is to login to the machine directly and uninstall/reinstall the sensor.
Additional Notes
The user field is populated by the installing user (for attended installs) or the best guess of the user that was online when it installed (for unattended installs).
3.5.x.x and higher sensor behavior is to enumerate the logged on users at the time of sending the status message and find the interactive user with the most recent logon time. The status message is sent once after a restart and then every 8 hours after that or every 15 minutes when in bypass. The status message can also be sent for various triggers such as network changes, if the status of the local scanner changes (sig pack update or enable/disable), when the LR session is established/closed, VDI reregistration, or network quarantine status change.
The plan is to change the sensor to continuously monitor the users logged on so that we don't have to enumerate at time of the status message and so it's more deterministic.
Related Content
