Different Security Application on an Endpoint Blocked Malware and the App Control Agent Did Not
Article ID: 284836
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Why did another security application on an endpoint block malware and the App Control Agent did not?
Environment
- App Control Agent: All Supported Versions
Resolution
There are multiple reasons why this could occur, including:
- The other application on the endpoint has a lower Filter Driver Altitude than the App Control Agent and acted first
- The Agent did not have time to act on the malware because the AV hooked and quarantined the file before the Agent could scan it
- This does not mean the App Control Agent would not have caught the malware if the the antivirus did not
- With the proper antivirus exclusions in place the App Control Agent would not scan processes from another security application on an endpoint
Additional Information
- These are potential explanations but are not the only possibilities.
- To investigate further, open a Support case and provide
- Details of the file (name, path, hash, etc)
- Details of the other security application
- If unable to reproduce the issue: Agent Historical Logs
- If able to reproduce the issue: Agent High Debug Logs while capturing a Low Altitude Procmon
Feedback
Yes
No
Powered by
