Cb Defense: TTP ACCESS_EMAIL_DATA attached to all Alerts where edb files are accessed
book
Article ID: 285613
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Why does Cb Defense generate Alert "[filename] accesses files containing user data." with TTP ACCESS_EMAIL_DATA every time that non email related edb files are accessed?
The application C:\Windows\System32\taskhost.exe attempted to access the Email file "C:\Users\<username>\AppData\Local\Microsoft\Internet Explorer\Indexed DB\temp.edb"
Environment
Cb Defense PSC Console: All Versions
Cb Defense Sensor: All Versions
Microsoft Windows: All Supported Versions
Resolution
Exchange does use .edb database files to store email data, but Windows also uses the .edb file format for advanced indexed storage technology also known as Extensible Storage Engine (ESE). However, currently the Cb Defense Analytics Engine will identify all .edb files as email files.
Additional Information
The .edb file extensions may contain sensitive information even if it is not email related, so in the future Carbon Black plans to remove the ACCESS_EMAIL_DATA TTP attached to edb related Alerts replace it with a TTP which would be more specific/accurate. This article will be updated when that change has been implemented.