Process execution details appear in the panel to the right of the Process Tree on the Process Analysis page.


If the process is an executable, the following information is displayed:




The name of the process executable file.


The Process Identification (PID) number of the process.

OS Type

The operating system on which the process was executed.


The physical path from which the process was executed.


The name of the user who executed the process.


The MD5 hash value of the process.


The SHA-256 hash value of the process.

Note: Availability of SHA-256 hash data is dependent upon sensor capabilities. The macOS sensor version 6.2.4, which is packaged with Carbon Black EDR Server version 6.3, sends SHA-256 hashes to the server. Check VMware Carbon Black Support for information about other sensors that can generate SHA-256 hashes.

For files that were originally discovered by a sensor that did not provide SHA-256 hashes, process information for new executions show SHA-256 hashes, but binary entries show SHA-256 as (unknown) until they appear as new files on a sensor that supports SHA-256.

Start Time

The date and time of the process execution.

Interface IP

The IP address of the network adapter on the sensor.

Pre-5.1 sensors do not report an Interface IP.

Server Comms IP

The IP address from which the server recognizes the sensor that is reporting data.

If the sensor is communicating through a Proxy or NAT, the address is for the Proxy or NAT.