Environment

• CB Response Sensor: (All versions)
• Microsoft Windows: All Supported Versions

Symptoms

• Unusually slow bootup time on Windows endpoint

Cause

The AntiVirus software (such as Windows Defender) scans the CB Response Sensor directory, which consumes resources and causes delays in bootup.

Steps to confirm:

1. Ensure the CB Response Sensor is installed
2. Gather boot logs (requires a reboot)
   • CB Response: How to collect a Procmon for Boot/Login Sensor Performance
3. Open the captured boot log file
4. Click the Tools menu > Process Activity Summary
5. Click the CPU column to sort the entries
6. Note the highest processes, which are likely to be AntiVirus software related (example: MsMpEng.exe is Windows Defender)

Resolution

1. Configure the AntiVirus software to ignore the Cb Response Sensor directory (%WINDIR%\CarbonBlack\* by default)
2. Configure the AntiVirus software to ignore the Cb Response Sensor Process (cb.exe)

Additional Notes

Related Content

• CB Protection: How to Disable/Enable the Carbon Black Tamper Protect Updater
• CB Response: How to Enable Verbose Logging Locally on Windows Sensor
• CB Response: How to collect a Procmon for Sensor Performance
• CB Response: How to collect a Procmon for Boot/Login Sensor Performance
• CB Response: Using Windows Performance Recorder
• CB Response: How to Collect Sensor Diagnostic Logs (6.2.2+) 
• CB Response: How to Collect Windows Sensor Diagnostic Logs (6.2.1 and below)
• CB Response: How to Run Procmon at Low Altitude for Sensor Capture
• CB Response: Which Sensor Directories need exclusion from 3rd party Anti-Virus Scans?
• CB Response: Slow Boot Times on Windows 10