Environment
- EDR(Formerly Carbon Black Response) Sensor: 7.2.0 and below
- Microsoft Windows: All Supported Versions
Symptoms
Sensor heath score reports High and Excessive event loss
Cause
we can see the sensor version 7.1.1 is taking 3 hours to recover:
Tid[1748] 2021-09-01 12:51:16 (i): Kernel event loss health score changed! New status: Excessive event loss; Old score: 0; New score: -50
Tid[1748] 2021-09-01 12:51:16 (i): Overall health score changed! New status: Excessive event loss; Old score: 100; New score: 50
...
Tid[1748] 2021-09-01 15:52:21 (i): Kernel event loss health score changed! New status: Healthy; Old score: -50; New score: 0
Tid[1748] 2021-09-01 15:52:21 (i): Overall health score changed! New status: Healthy; Old score: 50; New score: 100
Resolution
Upgrade to 7.2.2 Windows Sensor.
Additional Notes
Fixed in 7.2.1 sensor version, but it is no longer support as 7.2.2 sensor release.
