This topic describes sensor diagnostics data on the Sensor Details page. For additional sensor troubleshooting information, see the Carbon Black EDR Sensor Installation Guide.

Communication Failures

The Communication Failures section of the Diagnostics panel shows the timestamp and failure code of communication failures between the sensor and the server.

You can locate the correct failure code and cross-reference it with the information provided at https://curl.haxx.se/libcurl/c/libcurl-errors.html. For example, if you see error code 0x80c80013, locate 13 on this page.

Driver Diagnostics

The Driver Diagnostics section of the Diagnostics panel shows diagnostic information about the sensor driver.

Carbon Black EDR macOS sensors have the following components:

  • CbSystemProxy – A core kernel driver that improves interoperability with third-party products. When the macOS sensor is uninstalled, the next two kernel drivers are immediately removed and unloaded. The core kernel driver remains until the system reboots. Immediately unloading the core kernel driver can cause system instability if other products (typically security) are running in the system that integrate in the same way as Carbon Black EDR.

  • CbOsxSensorProcmon – A kernel driver to capture all other events on macOS 10.15 and earlier.

  • CbOsxSensorNetmon – A kernel driver to capture network events on macOS 10.15 and earlier.

  • CbOsxSensorService – A user-mode service to communicate with the Carbon Black EDR server.

  • es-loader.es-extension – A user-mode driver to capture all events on macOS 11.0 and later.

Carbon Black EDR Windows sensors have the following components:

  • CoreDriver

    • For Windows XP/2003/Vista/2008 (Vista server version), the driver binary name is carbonblackk.sys .

    • For Windows 7 and later, the binary name is cbk7.sys .

    • In all cases, the core driver is a mini-filter driver with the service name carbonblackk .

    • The core driver captures all events except for network connection events and passes all events, except tamper detection events, to the user-mode service.

    • The core driver attempts to directly send Tamper detection events to the Carbon Black EDR server. If this fails, then the core driver attempts to send the Tamper detection events to the user-mode service.

  • Network Filter Driver

    • For Windows XP/2003, the network filter driver is a Transport Driver Interface (TDI) filter driver with the binary name cbtdiflt.sys and service name cbtdiflt .

    • For Windows Vista and later, the network filter driver is a Windows Filter Platform (WFP) driver with the binary name cbstream.sys and service name cbstream .

    • The network filter driver is responsible for collecting network connection events and implementing the network isolation feature of the Windows sensor.

  • User-mode Service

    • The sensor uses a user-mode service with the binary name cb.exe and service name CarbonBlack .

    • This service communicates with the core and network filter drivers to gather and process events from the kernel and send those to the server.

Carbon Black EDR Linux sensors have the following components:

  • Kernel Module – This module does the following:

    • Uses a binary named cbsensor.ko.<kernel version> where the <kernel version> is a currently supported kernel.

    • Captures all system events and makes them available to the user mode daemon to process.

    • Exposes performance statistics in the /proc/cb directory.

  • User Mode Daemon – This user-mode daemon uses a binary named cbdaemon . This service communicates with the kernel module to gather and process events to be sent to the server.

The sensor starts recording activity as soon as the core driver is loaded. It queues up the activity for the user mode service to receive as soon as it starts. This occurs early in the sensor boot process.

The network driver is loaded after the core driver, but it also starts recording as soon as it is loaded, and it also queues events for the user mode service.

These kernel driver components usually work in sync with each other, but it is possible for the sensor to be communicating with the server while one of the drivers is inoperable.

The Driver Diagnostics section of the Diagnostics panel shows the following information about the status of these drivers:

Field

Description

Timestamp

The date and time that the driver was loaded.

Name

The name of the driver.

Version

The version of the driver.

Is Loaded

Shows whether the driver is loaded (true or false).

Load Status

The load status of the driver.

Reducing the Impact of Netconn Data Collection (Windows)

On systems that have a large number of network connections (for example, DHCP/DNS servers, domain controllers, build servers, etc.), netconn data collection by the sensor can cause significant CPU utilization by the Carbon Black service. If this is an issue but you want to continue collecting netconn data, Windows sensors beginning with v6.1.4 let you disable the DNS name resolution in data collection for network connections, thereby reducing the amount of netconn traffic on these systems. This is done by configuring the following Windows registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config]
"DisableNetConnNameResolution"=dword:00000001

Event Diagnostics

The Event Diagnostics panel shows the date and timestamp (in GMT) of sensor events, together with the number of each of the following event elements:

  • Messages Generated
  • Messages Logged
  • Raw Events Observed
  • Raw Events Throttled
  • Raw Events in Process
  • Raw Events Filtered Out
  • Raw Events Discarded