App Control: File Event rule triggers on files with prevalence of zero
search cancel

App Control: File Event rule triggers on files with prevalence of zero

book

Article ID: 286222

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

A file event rule is created using prevalence=0 in the filter, however the event is still being triggered on files that have no prevalence

Environment

  • App Control (formerly CB Protection) Console: All Supported Versions

Cause

At the time of the event, the file prevalence is always one (or higher).

Resolution

  • Filtering for prevalence of zero in a file event rule should not be used.
  • At the time of the event, the file will always have prevalence of at least one.
  • The file may be a temporary file that is immediately deleted, so prevalence may change after the rule is triggered.
  • Using prevalance of zero in a file rule may cause unexpected behaviors with other product functions relying on the rule actions.
Powered by Wolken Software