Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

EDR( formerly CB Response) Server: All Versions
EDR Sensor: All Versions
Linux: All Supported Versions
Microsoft Windows: All Supported Versions
Apple macOS: All Supported Versions

Question

Why are some processes listed as (unknown) in the process tree?

Answer

This is a technical limitation of the sensor. Potential causes include:

Processes that are already running prior to Sensor startup will be missing ProcessStart data and shows as unknown
Sensor sends malformed event messages to server
Server purges first segment of long running process after MaxEventStoreDays (pre-6.x sensor only)
Server is shutdown while event data is being processed in datastore

Additional Notes

The 6.3 Windows sensor addresses multiple data integrity issues that cause a running process to appear as unknown
Despite the items listed, EDR still typically captures 99.9% of all events that occur
However, for the 0.1% dropped, the Console UI renders these as Unknown Processes

Related Content

"(Unknown)" events in Process Search results
Cb Response Cloud: Binary hash sharing not enabled and Malicious processes not given threat score
Cb Response: How many child processes are shown in the Process Tree?

Article Information

Author:

Creation Date:

‎01-25-2019

Views:

2002

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.