Endpoint Standard Sensor: Network files being scanned despite "Scan files on network drives" setting being disabled
search cancel

Endpoint Standard Sensor: Network files being scanned despite "Scan files on network drives" setting being disabled

book

Article ID: 288451

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Network files being scanned despite "Scan files on network drives" setting being disabled
  • Policy is configured with "Scan execute on network drives" enabled and "Scan files on network drives" disabled

Environment

  • Endpoint Standard Sensor: All versions
  • Microsoft Windows: All Supported Versions

Cause

  • Browsing in explorer often does trigger execute and hence the files are scanned.  
  • Windows API for extracting file resource and icons relies on calling LoadLibraryExW w/ LOAD_LIBRARY_AS_DATAFILE argument in order to map the PE file into memory to extract the resources.
  • Even though no process was created by double clicking the resource, just browsing in explorer does often trigger "executions"
  • Content opened with execute access will trigger policy enforcement.  
  • Browsing in cmd.exe/powershell.exe wouldn't exhibit that behavior.

Resolution

This is an expected behavior
Powered by Wolken Software