logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: “(Unknown)” Events in Process Search Results

EDR: “(Unknown)” Events in Process Search Results

Environment

  • EDR Server: All Versions

Symptoms

  • Occasionally a process will appear in search results with the name "(unknown)".
  • The process graph may show the parent as "top"
  • Process Start Time is similar to 1969-12-31T23:59:59:999Z
  • PID is -1

Cause

The "(Unknown)" Events appearing on a Process Search is expected. This "(Unknown)" process was already running at the time the sensor was installed on the host.

Resolution

  • Because the sensor was not aware of the start and execution of these events, not all of the metadata is available such as process name or start time. This will result in the Process showing as "(Unknown)" and the Start Time will be inaccurate.
  • Often these "(Unknown) processes will spawn children after the sensor is running. The child processes may contain metadata that will include information about the "(Unknown)" parent process, such as parent_name, that could provide additional insight during an investigation.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
1311
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.