Environment
- CB Response Server: All Versions
- CB Response Sensor: All Versions
- Microsoft Windows OS: All Supported Versions
Question
Why is there still performance impact when the Sensor service is stopped on a Windows endpoint?
Answer
If the sensor service is stopped, but the CB Response driver (carbonblackk) is still loaded in the filter drivers, there is still monitoring and data recording happening on the system.
Additional Notes
- This is expected behavior. A process event is collected by the kernel driver whenever a module (e.g., a .dll) loads, a network connection is established, a process executes, the registry is modified, or a file is written to. The sensor also collects metadata appropriate to the event (e.g.: the user context, the MD5 hash of any binaries, and the actual binary if it has not been seen before.)
- Just because the sensor service is stopped does not mean that the sensor is disabled. The driver must be unloaded for all CB Response sensor impact to cease.
