Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CB ThreatHunter: Investigate page returning reduced events volume

CB ThreatHunter: Investigate page returning reduced events volume

Environment

  • CB ThreatHunter Web Console: All Versions
  • CB PSC Windows Sensor: 3.4.x.x and higher
  • Microsoft Windows: All Supported Versions

Symptoms

  • A frequent regmod to a specific registry location from a third party security product will be excluded
  • A frequent crossproc (opening handles to all processes repeatedly) by a third party security product will be excluded
  • Repeated netconns by any single process to any unique remote IP:port combination will be excluded

Cause

There is a cloud-driven change coming this week to ease network loads and minimize redundancy in VMware Carbon Black Cloud Enterprise EDR event data.

Resolution

VMware Carbon Black has performed a deep analysis of the most repetitive events aggregated across all customers, and have designed surgical rules to exclude these events from all Enterprise EDR customers' sensor traffic.

Additional Notes

While every endpoint and workload is different, based on initial findings VMware Carbon Black expects that most customers could see on average a 20% reduction in the number of sent events, ranging for most customers between 10 - 30%.

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
335
Contributors