Cb Protection: Windows files discovered with Write Ignore rules in place
book
Article ID: 286917
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
System files that should have been ignored by rules, are being discovered.
Environment
Cb Protection Agent: All Supported Versions
Microsoft Windows: All Supported Versions
Cause
The cause for the discovery is due to another operation accessing the file, such as executes or reads. Due to the way Windows handles files, and because all operations are being tracked, a file you may have a write ignore rule for, may still be discovered.
Resolution
Adding in execute allow rules, may be required.
Ignoring all operations on a file will reduce visibility, so it is not recommended unless expressly required.