App Control: What are "Suspicious file found" events?
book
Article ID: 286104
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
What do the "Suspicious file found" events in the console mean?
Environment
App Control Console: All supported Versions
App Control (Formerly CB Protection) Agent: 8.1.6 and Higher
Resolution
The "'Suspicious File Found event' appears when App Control agent detects an MSI file that has data appended after the signature. It deals with the kind of attacks outlined here: https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-Java-Embedded-MSI-files/ta-p/66446
Additional Information
The 8.1.6 agent may have false positives on this- corrected in 8.1.8 and higher. EP-9536 - Fixed an issue where suspicious file events were being sent to the server when MSI files had appended data, even if the MSI file was not signed. Now, we send the event, "Msifile has data appended after the signature.", only if the MSI file was signed.
Enabling the Rapid Config "Windows Installer Embedded File Protection" is also recommended.