EDR: Why Do Some Filemods Show "Opened to Execute"
search cancel

EDR: Why Do Some Filemods Show "Opened to Execute"

book

Article ID: 285763

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

What causes the filemod description to show 'opened to execute'?

Environment

  • EDR Server: All Supported Versions
  • EDR Sensor: All Supported Versions

Resolution

  • This is added when an application is trying to do a filemod within the CarbonBlack installation directory
  • Similar to a tamper event but here just the "opened to execute" is being added to the event
For Linux sensors:
  • This is just a file open, the convergence of code from the EEDR sensor sends an open file hook starting in 7.1.0 sensor, the server picks this up as an "opened to execute" due to the use case of the tamper feature in Windows. 
  • This is currently being investigated. 
Powered by Wolken Software