App Control: Allow Inaccessible Files
search cancel

App Control: Allow Inaccessible Files

book

Article ID: 286740

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Agent is enforcing Block Events with "Sill Analyzing" or "Unapproved".
  • A hash is not listed in the reported Block Event, with no hyperlink for "File Details".

Environment

  • App Control Agent: All Supported Versions

Cause

The Agent was unable to properly analyze the file and the Policy is configured to Block Unanalyzed Scripts and Executions. This is typically caused by latency on the endpoint; network or third party antivirus being the most common root cause.
 

Resolution

  1. Verify all other antivirus/security software has the Agent Exclusions correctly added.
  2. Upgrade to the latest Agent version to eliminate any known issues.

If the issue persists, or as directed by Support, the following workaround may resolve the issue:
  1. Login to the Console and navigate to https://ServerAddress/agent_config.php > Add Agent Config:
    • Property Name: Allow Inaccessible files
    • Host ID: 0 (0 will send the config to all machines)
    • Value:
      allow_inaccessible_files=0x02
    • Status: Enabled
    • Create For: All, or only relevant Policies
    • Save the configuration change

Additional Information

  • You can specify which blocks get suppressed depending on the reason that the files were inaccessible:
    • File not existing = 0x02
    • File is not interesting = 0x04
    • Failed to hash file = 0x08
    • Unknown open error = 0x10
    • Access to file denied = 0x20
    • Sharing violation = 0x40
    • Other error = 0x80
    • These values can be combined. For example: specifying allow_inaccessible_files=0x60 would approve both access errors and sharing violation errors.
    • allow_inaccessible_files=1 includes all of the above
  • Security Risk: Moderate (A malicious actor could overwrite an unknown or approved file with new content and lock the file, preventing analysis as a means of bypassing enforcement)
  • Operational Risk: Net plus decrease the number of analyzed blocks
  • Conflicts or Overlaps: If allow_inaccessible_files is enabled (value=1), there is no need to additionally have approve_inaccessible_files_based_on_last_known_state enabled.
  • Setting the Host ID to "0" sends the configuration to all Agents, otherwise specific Host ID could be used.