Environment
- Carbon Black Cloud Sensor: All Windows versions 3.7.x and earlier
- Carbon Black Cloud Console: All Versions
Symptoms
- Windows applications randomly stop or hang, ranging from hours to days between events.
- Problem seems to be worse on busier machines.
- Problem occurs on wide range of Windows OS's.
- Restarting the Windows WMI service fixes the hanging.
- Placing the sensor host in Bypass mode fixes the hanging.
- Running this get-process command from a powershell for the wmiPrvSE.exe process ID returns almost all "Suspended" states:
username> (get-process -id 1234).threads.waitreason
Suspended
Suspended
Suspended
Unknown
Suspended
Suspended
.
.
.
Cause
This is issue DSEN-13250. T
Resolution
This issue is fixed in 3.8.x Windows sensors.
To address this "app-hook" issue hanging the WMI service for 3.7.x sensors and earlier , add an API Bypass rule as so:
- Edit the policy for the target Windows sensor hosts
- Prevention Tab; Permissions; Check "Performs any API operation" and Application(s) at Path:
*:\Windows\Sys*\wbem\WmiPrvSE.exe
Additional Notes
Note that the API bypass will only prevent future occurrences and not "heal" sensor hosts currently in a bad state.
Related Content
