TMP Files Left Behind on Network Share After Closing MS Office Applications
Article ID: 285111
Updated On:
Products
Carbon Black Cloud Endpoint Standard
Issue/Introduction
- After saving and/or closing an MS Office document residing on a network share, randomly named .tmp files are left behind
- Normally, these are created when editing an MS Office document and automatically deleted after saving and closing
- The tmp files are stored in the same path as the file that was edited
Environment
- Carbon Black Cloud Console: Current Version
- Carbon Black Cloud Windows Sensor: 4.x and Higher
- Microsoft Windows OS: All Supported Versions
- Microsoft Office Application: All Versions
- NTFS network shared drives
Cause
The CBC Windows sensor can track file operations that would cause sharing violations on network files, which leads to .tmp file versions of Microsoft Office documents.
Resolution
WORKAROUND: There are 2 sensor configprops that can be applied to validate the issue gets resolved:
- On the test endpoint, open an Admin CMD prompt > run the cmd:
cd "C:\Program Files\Confer" - Enable bypass mode on the sensor:
repcli bypass 1 - Move to the cfg.ini file and open with Notepad
- Add these 2 Configprop names and recommended values in the format:
PreventAccessViolationForNetworkFiles=1 PKCSBlobBasedSignerDetailExtractionEnabled=1 - Save changes to cfg.ini with "Save As" option; maintain the same file name and select a destination ex. C:\windows\temp\cfg.ini
- Move the old cfg.ini file out of original directory and keep as a backup
- Move the new cfg.ini file with the Configprop entry into original directory
- Update the CBC sensor config:
repcli updateconfig - Disable bypass mode
repcli bypass 0
RESOLUTION: Open a Broadcom Support case confirming if the workaround above was successful, so the configprops can be considered for additional to the entire ORG.
Feedback
Yes
No
Powered by
