EDR: Why Do Some Filemods Show "Opened to Execute"
book
Article ID: 285763
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
What causes the filemod description to show 'opened to execute'?
Environment
EDR Server: All Supported Versions
EDR Sensor: All Supported Versions
Resolution
This is added when an application is trying to do a filemod within the CarbonBlack installation directory
Similar to a tamper event but here just the "opened to execute" is being added to the event
For Linux sensors:
This is just a file open, the convergence of code from the EEDR sensor sends an open file hook starting in 7.1.0 sensor, the server picks this up as an "opened to execute" due to the use case of the tamper feature in Windows.