Environment
- EDR Sensor: 6.2.4 - 7.1.1
- Microsoft Windows: All Supported Versions
Symptoms
High memory usage of the sensor's user-mode process: cb.exe.
Cause
This occurs when the sensor is unable to register with the server after installation, usually due to the sensor being in an airgapped environment or a firewall rule preventing sensor to server communications - CB-32827
Resolution
- Upgrade to sensor version 7.2 or higher
- If unable to upgrade, the issue can be avoided by only installing the sensor on endpoints that are able to communicate with the server.
Additional Notes
After successful registration and an event being sent from sensor to server, the sensor will cache events to the local filesystem if server communications are interrupted in the future. The issue only occurs when the sensor never registers with the server.
Related Content