Certain process searches can cause significant performance issues in Carbon Black EDR.
Two types of searches that can have a negative impact are:
- Searches with leading wildcards
- Searches with binary terms (which require a join between the process and module databases) if you have very large modules cores; see Searching with Binary Joins.
Beginning with Carbon Black EDR version 6.2.3, these searches are blocked by default when executed through the console. However, there are options in both the console interface and the server configuration file (cb.conf) for blocking and unblocking these types of process searches.
The blocking features, both from cb.conf and through the console, apply only to interactive searches in the console. Searches executed via the API, existing watchlists or feeds are not impacted by these settings.
For more information about cb.conf, see the Carbon Black EDR Server Configuration Guide.
