Environment
- Carbon Black Cloud Sensor: All supported versions
Objective
How to Troubleshoot Sensor Interop Issues
Resolution
CRITICAL: PLEASE DO NOT UNINSTALL THE SENSOR
Troubleshooting cannot take place with sensor uninstalled as information needed is not available.
Please open a case with CB Support, the case will start by requesting:
- Device name in the Carbon Black Cloud Console
- Application experiencing interoperability
- Date/Time interoperability occurred
- Application actions performed or blocked
- Are results the same if Sensor is placed in Bypass?
- Remove Sensor from Bypass and attempt to implement a Permissions rule
- Test using a Permissions rule
- Is the interoperability issue reproducible?
- If yes and the OS is Windows, collect 2 separate Procmon logs:
- Steps for Windows 3.3.x.x Sensor and earlier or steps for Windows 3.4.x.x Sensor and higher
- Procmon with the Sensor Active and with the issue reproduced
- Procmon with the Sensor in Bypass taking the same steps as above
- After collecting Procmon logs, request Sensor logs:
- Collecting Sensor Logs Windows
- Collecting Sensor Logs Mac
- Collecting Sensor Logs Linux
If this issue cannot be solved with Support troubleshooting steps, it may need escalation to the Engineering team. Escalation will require information collected in the steps above:
- Procmon with the Sensor Active
- Procmon with the Sensor in Bypass
- Sensor logs collected following the final Procmon log being saved
Additional Notes
Sensor interoperability issues display as one or more:
- Application slowness
- Delayed start of application
- An application operation not functioning
- Application is blocked or crashes
Related Content
