EDR: Why Do Some Filemods Show "Opened to Execute"
search cancel

EDR: Why Do Some Filemods Show "Opened to Execute"


Article ID: 285763


Updated On:


Carbon Black EDR (formerly Cb Response)


What causes the filemod description to show 'opened to execute'?


  • EDR Server: All Supported Versions
  • EDR Sensor: All Supported Versions


  • This is added when an application is trying to do a filemod within the CarbonBlack installation directory
  • Similar to a tamper event but here just the "opened to execute" is being added to the event
For Linux sensors:
  • This is just a file open, the convergence of code from the EEDR sensor sends an open file hook starting in 7.1.0 sensor, the server picks this up as an "opened to execute" due to the use case of the tamper feature in Windows. 
  • This is currently being investigated.