logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Zombie Processes Created by Linux Sensor

Carbon Black Cloud: Zombie Processes Created by Linux Sensor

Environment

  • Carbon Black Cloud Linux Sensor: 2.11.2.545096 - 2.13.2
  • Linux: All Supported Versions

Symptoms

  • Zombie processes created by the cbagentd 
    • ps -ef | grep -i ECStateEngine root 2125 1864 0 Dec15 ? 00:00:00 [ECStateEngine] <defunct> root 3682 1864 0 09:19 ? 00:00:00 [ECStateEngine] <defunct> root 7999 1864 0 Dec19 ? 00:00:00 [ECStateEngine] <defunct> root 8056 1864 0 Dec19 ? 00:00:00 [ECStateEngine] <defunct>

Cause

The sensor keeps restarting the event_collector which is leading to the orphaned zombie processes

Resolution

Improvement observed in Sensor release 2.14.0 and Sensor release 2.14.1 will include additional fixes.

Additional Notes

To check and verify for zombie processes are present, run the command below in terminal 
ps -ef | grep defunct
Output should look similar to  
ps -ef | grep defunct
root 489 30703 0 Nov15 ? 00:00:00 [ECStateEngine] <defunct>
root 526 30703 0 Nov15 ? 00:00:00 [ECStateEngine] <defunct>
root 535 30703 0 Nov15 ? 00:00:00 [ECStateEngine] <defunct>
root 565 30703 0 Nov15 ? 00:00:00 [ECStateEngine] <defunct>
root 1129 30486 0 Nov07 ? 00:00:00 [nsrexecd] <defunct>

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎01-26-2022
Views:
1661
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.