logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Process search returns non-existing cmdline

EDR: Process search returns non-existing cmdline

Environment

  • Carbon Black Response Console: All Versions

Symptoms

  • Search returns a process not matching the cmdline
  • bit9advancedthreats reports processes with cmdline containing "echo"

Cause

Suppression is enabled

Resolution

This is expected behavior when retention (suppression) level is set in the sensor groups. Setting the retention setting to 'minimal' will allows the child processes to have their own process document. 

Additional Notes

  • Setting to minimal retention will reduce the amount of event retention the server will be able to keep. Expect 15 to 20% reduction in overall retention as an average. 
  • The retention setting suppresses children that only do modloads (recommended) or modloads and crossprocs (maximum) and place the cmdline into the parent document. This allows the child to still be searched by the command line, but it does not have it's own document to search by process name or view the modloads/crossprocs. 

Labels (2)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎04-03-2024
Views:
85
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.