CB Response: Why is there still performance impact when the Sensor service is stopped on a Windows endpoint?
CB Response Server: All Versions
CB Response Sensor: All Versions
Microsoft Windows OS: All Supported Versions
Why is there still performance impact when the Sensor service is stopped on a Windows endpoint?
If the sensor service is stopped, but the CB Response driver (carbonblackk) is still loaded in the filter drivers, there is still monitoring and data recording happening on the system.
This is expected behavior. A process event is collected by the kernel driver whenever a module (e.g., a .dll) loads, a network connection is established, a process executes, the registry is modified, or a file is written to. The sensor also collects metadata appropriate to the event (e.g.: the user context, the MD5 hash of any binaries, and the actual binary if it has not been seen before.)
Just because the sensor service is stopped does not mean that the sensor is disabled. The driver must be unloaded for all CB Response sensor impact to cease.