Sensor Error Handling
Sensors can suspend their functionality in certain cases to handle errors and ensure smooth functionality for the machine on which they are installed.
The sensor typically handles these error scenarios:
Collection issues
Sensor performance issues
CPU-related issues
In this topic:
Collection issues (all OS)
The Cybereason platform displays four possible sensor states that relate to collection functionality. Cybereason displays these states in the UI under the Sensors section of the System > Overview screen and/or in the installer file logs:
State in Cybereason UI |
State in Installer File |
Description |
|---|---|---|
Enabled |
ACTIVE_NORMAL |
The sensor actively collects data and transmits it to the server. |
Suspended |
ACTIVE_DELAYED |
The sensor has shut down automatically and has stopped collecting data for a period of time. |
Disabled |
INACTIVE |
The sensor’s data collection has been disabled. |
Service error |
N/A |
The sensor is connected to the Cybereason servers, however, due to an error, collection capabilities are affected. To identify sensors that are experiencing a service error:
The sensors that are visible in the search results are experiencing a service error. The number of sensors in the search results should match the number of sensors displayed next to Service error in the System > Overview screen. Sensors with a Service status of Up are not experiencing a service error. To resolve this error, restart the sensor or contact Technical Support. |
If the collection module on the sensor experiences problems, the sensor collection state changes to Suspended (ACTIVE_DELAYED) for an hour during which collection is stopped. The sensor maintains its connection to the server and receives actions from the server during this time. After this hour, the sensor returns to Enabled (ACTIVE_NORMAL) state.
When a sensor changes to the Suspended state, Endpoint Protection/NGAV features (like Anti-Ransomware and Anti-Malware) continue to function, but you cannot change sensor settings, and the sensor does not send data from these features to the server.
Sensor performance issues (Windows only)
If multiple sensor shutdowns occur 10 times within 24 hours, the sensor enters Sensor safe mode for 30 min. During this time, the sensor’s MinionHost process stops running.
During Sensor safe mode:
For versions prior to 18.0:
The sensor does not maintain its connection to the server. The sensor appears Offline in the Sensors screen and you cannot interaction with the sensor during this time.
For versions 18.0+:
The sensor remains connected to the server and can receive and perform a limited number of actions (fetch logs and upgrade). In the Sensors screen, the collection state is Suspended (ACTIVE_DELAYED), meaning that collection is stopped.
During Sensor safe mode, Endpoint Protection/NGAV features (such as Anti-Ransomware and Anti-Malware) continue to function, but you cannot change feature settings, and the sensor does not send data from these features to the server.
After 30 minutes in safe mode, the sensor attempts to return to its normal functionality.
Sensor behavior when exceeding 5% RAM
On Windows machines that exceed minimum resource requirements, when a sensor exceeds 5% average RAM usage over a period of 30 seconds, or experiences a spike of over 15% RAM, the sensor behavior depends on factors such as how recently it previously crashed or stopped collection. In some cases, the sensor suspends or disables collection, and in others the sensor enters Sensor safe mode.
This behavior applies to the sensors that do not have any Endpoint Protection/NGAV settings enabled.