Access official resources from Carbon Black experts
Advanced Search
IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!
EDR: Crossproc Appears to be Suppressed When Using Recommended Retention
Environment
EDR Server (formerly CB Response): All Supported Versions
Question
Per the CB Response User Guide :
Recommended Retention – The processes that contain only modload events are available under the parent processes and are searchable as child processes. You can search metadata, such as command line and user context, under the parent process.
Based on the 'only modload events' description above, when setting retention as 'Recommended', why are we seeing processes being suppressed that contain a crossproc?
Answer
In our code we will suppress a process if 1) suppression is set to medium and 2) it's considered an 'eventless' process. If a parent launches a process with a crossproc, but that crossproc will not unsuppress the target of the crossproc event. If parent.exe can spawn child.exe and so long as child.exe doesn't perform any file operations or launch any subprocesses of it's own, it will remain suppressed.
