EDR: Does EDR Collect Binaries for Executables that did not Execute
search cancel

EDR: Does EDR Collect Binaries for Executables that did not Execute

book

Article ID: 287969

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Does the EDR sensor collect binaries from executables on the machine if they have not exectuted?

Environment

  • EDR Server: All Versions
  • EDR Sensor: All Versions

Resolution

No, the sensor does not scan for inventory on the endpoint. It only listens for events happening live on the box. A malicious file can exist on the endpoint, but it will not be seen until it executes. At the time of execution the sensor will report the binary metadata and collect the physical binary for download. 

Additional Information

  • A malicious file created by another process while the sensor is installed could be seen through a filemod search. However, since it has not executed the binary metadata on the file does not exist. Only executables are collected. 
Powered by Wolken Software