Below is a list of the various status indicators the Carbon Black Response sensor will report.
- Online – Sensor has been able to communicate with the Cb Response server within the previous expected check-in interval.
- Offline – Sensor has been unable to communicate with the Cb Response server for a period of time exceeding 5 minutes after the expected check-in interval provided during the previous check-in.
In addition to reporting a sensor as Offline, an additional qualifier may be added to the status if we have more information about why the sensor went offline. Specifically, other statuses include:
- Offline (Suspended) – Sensor detected that an OS-level suspend operation was taking place before the sensor going offline.
- Offline (Restarting) – Sensor detected that an OS-level restart operation was taking place before the sensor going offline.
- Offline (Isolate configured) – Sensor is offline as described above and marked for isolation upon next check-in.
- Offline Uninstalled – Appears when an uninstall was requested for an offline sensor.
The following statuses may appear when an uninstall is initiated from the Cb Response interface:
- Uninstall uninstalled – Requested uninstall operation has completed, and the sensor was successfully uninstalled.
- Uninstall pending uninstalled – Uninstall operation has been requested but has not yet completed.
In your Red Canary portal you will see references to the above statuses. Occasionally a status will be shown in the Red Canary portal that is not derived from the Cb Response states listed above. An example of this is the Missing status listed on the Endpoints page in the portal. Missing in this context means that we are not seeing data but we have not seen a "shutdown", "suspended" or other explicit state change signal from the sensor. This could mean that the system was suspended and the sensor didn't get the signal out yet, or it could be a loss of communication (on an airplane, no wireless, etc.).