Environment

Cb Response 6.1.2

Symptoms

Following binary collection being disabled, there is still elevated bandwidth being used by Cb Response Sensor Communication.

Cause

Unselecting this option in the sensor group settings means that the sensor no longer collects any new binary files, but still tries to upload the files already collected.

Resolution

1. Binaries that have already been collected can be removed from the sensor, they are located in C:\Windows\CarbonBlack\store
   

   Note: Admin Privileges are required to access this directory

   Warning: The catalog file should not be removed from this directory

2. Sensors should be upgraded to the latest release
   1. 6.1.2-win sensor release resolves CB-15259. This issue causes the Windows sensor to excessively retry calls to our “reserve” api (used to reserve space for data uploads) when no space is available. This could cause an increase in overhead in past sensor versions.
   2. Site throttling in the 6.X server is not compatible with 5.X sensors.
   3. 6.x sensors are more efficient at submitting data to the Cb Response server than 5.x sensors.
3. As an additional note, the throttle algorithm calculations are based on rolling averages, so it is expected that there may be brief periods where the limits can be exceeded.

Related Content

Firewall Bandwidth Fully Utilized By Cb Response Sensor Data Collection