Carbon Black Cloud: A blocking rule for .msi files works for all files except for CBC sensor install msi files.
search cancel

Carbon Black Cloud: A blocking rule for .msi files works for all files except for CBC sensor install msi files.

book

Article ID: 288156

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Adding this policy permission does indeed block all .msi files EXCEPT CBC sensor install .msi files like "installer_vista_win7_win8-64-3.9.2.2698.msi": 
path: **\*.msi
operation attempt: runs or is running
action: terminate process

 

Environment

  • Carbon Black Cloud Windows Sensors:  All versions
  • Carbon Black Cloud Servers:  All versions
  • Microsoft Windows: All versions

Cause

This scenario pertains to sensor upgrades. There is an overrideing build-in mechanism to allow for CBC sensor .msi files to run.

Resolution

There is a Feature Request (internal FR-003695) that would allow the blocking of CBC sensor install .msi files by policy.
Powered by Wolken Software