Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Collect Diagnostic Logs for Sensor Performance-Related Issues (Windows)

EDR: How to Collect Diagnostic Logs for Sensor Performance-Related Issues (Windows)

Environment

  • EDR Sensor: 6.x and Higher
  • Microsoft Windows: All Supported Versions

Objective

To collect relevant logs on a Microsoft Window endpoint in order to troubleshoot most performance-related issues. Typical issues may include:
  • General system performance issues
  • High CPU/Memory of EDR process
  • High CPU/Memory of third-party applications

Resolution

  1. Log onto the Windows endpoint exhibiting performance issues. 
  2. If necessary, disable CB Tamper Protect: App Control: How to Disable/Enable the Carbon Black Tamper Protect Updater
  3. Enable verbose logging (optional): EDR: How to Enable Verbose Logging Locally on Windows Sensor
  4. Required:
    1. For performance with another application. EDR: How to collect a Procmon for Sensor Performance
    2. For Boot/Login performance issues: EDR: How to collect a Procmon for Boot/Login Sensor Performance
    3. For High CPU issues: EDR: Using Windows Performance Recorder
    4. For High Memory Issues: EDR: How to Create a Memory Dump during High Memory Usage Troubleshooting (Windows)
  5. Generate a Windows sensor report: EDR: How to Collect Windows Sensor Diagnostic Logs (6.2.2+)
  6. Disable verbose logging (if previously enabled)
  7. Upload all log files to CB Vault
  8. Update your Carbon Black Technical Support case with further relevant information:
- Is the performance issue a reproducible scenario and if so, what steps, if any, are taken to reproduce it? 
(For example, were any backups, updates, or large file transfers being performed?)

- How many endpoints are affected? What are their general system profiles and function? 

- What other security applications/real-time scanners are installed?

- How long do the performance issues last? 

- What actions, if any, return the system performance to normal?

- Is the endpoint connected to any network shares? 

- Does this endpoint generate a large number of logs, binaries, or PDF reports?

Additional Notes

  • Not all logs above may be required to troubleshoot every performance-related issue.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
Creation Date:
‎02-08-2016
Views:
14430
Contributors