Cb Defense: TTP ACCESS_EMAIL_DATA attached to all Alerts where edb files are accessed
search cancel

Cb Defense: TTP ACCESS_EMAIL_DATA attached to all Alerts where edb files are accessed

book

Article ID: 285613

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Why does Cb Defense generate Alert "[filename] accesses files containing user data." with TTP ACCESS_EMAIL_DATA every time that non email related edb files are accessed?
The application C:\Windows\System32\taskhost.exe attempted to access the Email file "C:\Users\<username>\AppData\Local\Microsoft\Internet Explorer\Indexed DB\temp.edb"

Environment

  • Cb Defense PSC Console: All Versions
  • Cb Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

Exchange does use .edb database files to store email data, but Windows also uses the .edb file format for advanced indexed storage technology also known as Extensible Storage Engine (ESE). However, currently the Cb Defense Analytics Engine will identify all .edb files as email files.

Additional Information

The .edb file extensions may contain sensitive information even if it is not email related, so in the future Carbon Black plans to remove the ACCESS_EMAIL_DATA TTP attached to edb related Alerts replace it with a TTP which would be more specific/accurate. This article will be updated when that change has been implemented.