Allow Inaccessible Files
search cancel

Allow Inaccessible Files

book

Article ID: 286740

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Agent Config to allow Inaccessible Files. This is typically beneficial when the Agent is enforcing Unanalyzed Blocks.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Cause

Unanalyzed file blocks occur when the Agent does not have time to properly analyze a file. This is typically caused by latency on the endpoint; network or third party antivirus being the most common root cause.

Resolution

  1. Verify the Agent Exclusions are present in any other antivirus/security software on the endpoint.
  2. Verify the latest version of the Agent is installed will eliminate the potential this is related to a known issue.

If the issue persists, or as directed by Support, the following workaround may resolve the issue:

  1. Log in to the Console and navigate to https://ServerAddress/agent_config.php > Add Agent Config:
    • Property Name: Allow Inaccessible files
    • Host ID: 0 (0 will send the config to all machines)
    • Value: 
      allow_inaccessible_files=0x02
    • Status: Enabled
    • Create For: All, or only relevant Policies
  2. Click Save.

Additional Information

  • You can specify which blocks get suppressed depending on the reason that the files were inaccessible:
    • File not existing = 0x02
    • File is not interesting = 0x04
    • Failed to hash file = 0x08
    • Unknown open error = 0x10
    • Access to file denied = 0x20
    • Sharing violation = 0x40
    • Other error = 0x80
    • These values can be combined. For example: specifying allow_inaccessible_files=0x60 would approve both access errors and sharing violation errors.
    • allow_inaccessible_files=1 includes all of the above
  • Conflicts or Overlaps: If allow_inaccessible_files is enabled (value=1), there is no need to additionally have approve_inaccessible_files_based_on_last_known_state enabled.
  • Security Risk: Moderate (A malicious actor could overwrite an unknown or approved file with new content and lock the file, preventing analysis as a means of bypassing enforcement)
  • Operational Risk: Net plus decrease the number of analyzed blocks
  • Setting the Host ID to "0" sends the configuration to all Agents, otherwise a specific Host ID could be used.
Powered by Wolken Software