CB Defense: Block Event Shows Deny and Terminate (Mac)
search cancel

CB Defense: Block Event Shows Deny and Terminate (Mac)

book

Article ID: 285940

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Some blocking Events show POLICY_DENY and POLICY_TERMINATE for Mac devices
  • Policy Blocking & Isolation rule shows 'Runs or is running' > 'Terminate process'

Environment

  • CB Defense PSC Console: All Versions
  • CB Defense Sensor: 3.2.2.6 - 3.3.1.x
  • Apple macOS: 10.14.4

Cause

Sensor is sending POLICY_DENY info in one field, POLICY_TERMINATE info in another and both are displayed on the Event in the PSC Console

Resolution

This will be fixed with the 3.3.2.36 Sensor for Apple macOS

Additional Information


Policy Blocking & Isolation rules using 'Runs or is running' actually employ both 'Deny operation' and 'Terminate process' Actions depending on the scenario. If the program is trying to run the action taken will be 'Deny operation', and if the program is already running the action taken will be 'Terminate process'.

 
Powered by Wolken Software