App Control: Extensionless Text Files Created on Linux Endpoint Not Discovered By Agent In Low Enforcement
Article ID: 287260
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Extensionless text files newly created on Linux endpoints not discovered by App Control agent, so no "new file discovered" events in console created for these files.
Environment
- App Control Server: 8.6.2 and Higher
- App Control Agent: 8.7.2 and Higher
- Linux: All Supported Versions
Cause
The App Control agent does not recognize text files as interesting files and therefore they are not tracked.
Resolution
Create new text files either with an extension where they will be discovered by the App Control agent (eg, .sh), or add a shebang ( __ ) to the file.
Additional Information
- The App Control agent does not recognize text files as interesting files and therefore they are not tracked. The agent can track scripts and there are script rules to identify and track those. That said, the agent will recognize files without an extension as an interesting file, if the file contains a shebang. __
- All Windows files have extensions and there is a script rule to track .bat files. With Linux there can be a file that does not have an extension. To track a file with a name like "textfile" one would need a script rule that looked for any file like "." which would be problematic. This would track every single file on the system which could have serious performance impacts on the agent and could make the console become unusable given the number of files. Every time a file is altered (and Linux is a heavily file i/o intensive operating system) that file would have to be re-hashed and info about it sent to the server.
- Ultimately this comes down to a tradeoff around usability and security efficacy.
Feedback
Yes
No
Powered by
