Environment

• EDR Sensor: 6.x and Higher
• macOS: All Supported Versions

Objective

• General system performance issues
• High CPU/Memory of EDR sensor process
• High CPU/Memory of third-party applications

Resolution

1. Log onto the Apple macOS endpoint exhibiting performance issues.
2. Generate a process sample for the sensor:

# sudo sample CbOsxSensorService 10 1 -f ~/Desktop/process_sample_`hostname`_`date +%Y-%m-%d_%H-%M-%S`.log

3. Generate an Apple macOS sensor diag report.
4. Upload all log files to CB Vault. 
5. Update your Carbon Black Technical Support case with further relevant information:

- Is the performance issue a reproducible scenario and if so, what steps, if any, are taken to reproduce it? 
(For example, were any backups, updates, or large file transfers being performed?)

- How many endpoints are affected? What are their general system profiles and function? 

- What other security applications/real-time scanners are installed?

- How long do the performance issues last? 

- What actions, if any, return the system performance to normal?

- Is the endpoint connected to to any network shares? 

- Does this endpoint generate a large number of logs, binaries, or PDF reports?

Additional Notes

• The process sample generated in step 2 will be created on your Desktop.

Related Content

• EDR Sensor: How to collect logs for performance-related issues (Windows)
• https://community.carbonblack.com/t5/Knowledge-Base/CB-Response-Sensor-How-to-collect-logs-for-performance-related/ta-p/67197
• CB Response: How to generate Apple MacOS sensor report 6.1.3 and earlier
• EDR: Generate Apple MacOS Sensor report in 6.2.x and later