Knowledge Base

Yes

Environment

Enterprise EDR: All Version
Carbon Black Cloud Sensor: All Supported Versions
Linux: All Supported Versions

Question

Why are Kernel-Devel Headers required on some Linux Distros?

Answer

The new Linux sensors uses Berkeley Packet Filter "eBPF" technology to collect Enterprise EDR events and BPF requires Kernel-Devel Package to be installed.

Additional Notes

There are some Linux distributions that actually build their kernel in such a way that the headers are available through a special kernel module. In these cases, they don’t specifically have to install the Kernel-Devel package.
Centos/RHEL 7 uses our kernel module instead of BPF.
Kernel modules have the ability to bring down the machine, whereas BPF cannot, which is why CB has choses BPF for kernels that support it.
LiveQuery/LiveResponse do not require BPF and therefor do not require Kernel-Devel
Search endpoint page for sensor in bypass and verify Kernel Headers are installed for listed devices.
```
sensorStates:"REMGR_INIT _ERROR"
```

Knowledge Base

Enterprise EDR: Why are Kernel-Devel Headers required on some Linux Distros?

Enterprise EDR: Why are Kernel-Devel Headers required on some Linux Distros?

Environment

Question

Answer

Additional Notes

Related Content

Carbon Black Cloud

Endpoint Standard

Knowledge Base

Enterprise EDR: Why are Kernel-Devel Headers required on some Linux Distros?

Enterprise EDR: Why are Kernel-Devel Headers required on some Linux Distros?

Environment

Question

Answer

Additional Notes

Related Content

Carbon Black Cloud

Endpoint Standard

Thank you for your feedback.

Thank you for your feedback.