App Control: What are "Suspicious file found" events?
Article ID: 286104
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
What do the "Suspicious file found" events in the console mean?
Environment
- App Control Console: All supported Versions
- App Control (Formerly CB Protection) Agent: 8.1.6 and Higher
Resolution
The "'Suspicious File Found event' appears when App Control agent detects an MSI file that has data appended after the signature. It deals with the kind of attacks outlined here: https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-Java-Embedded-MSI-files/ta-p/66446
Additional Information
- The 8.1.6 agent may have false positives on this- corrected in 8.1.8 and higher. EP-9536 - Fixed an issue where suspicious file events were being sent to the server when MSI files had appended data, even if the MSI file was not signed. Now, we send the event, "Msifile has data appended after the signature.", only if the MSI file was signed.
- Enabling the Rapid Config "Windows Installer Embedded File Protection" is also recommended.
- https://community.carbonblack.com/t5/Documentation-Downloads/Windows-Installer-Embedded-File-Protection-Rapid-Config/ta-p/67075#M2016
Feedback
Yes
No
Powered by
