App Control: Why does the agent say a process was demoted?
Article ID: 288727
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Why does the App Control agent logs show in its events that a process was demoted?
Environment
- App Control Agent: All Supported Version
Resolution
Processes are demoted for a few reasons, but the most common is that its on the Never Trust list. This is a list of applications that VMware Carbon Black has listed to never be promoted. This is to keep, software that should not auto approve downloads, from being marked as an installer.
Additional Information
An example of why this is used, could be Outlook.exe. Without this never trust, then if Outlook.exe is marked as an installer, all files downloaded from outlook (all attachments) would be auto approved. Thus approving any malware possibly emailed through a phishing attempt.
The never trust ruleset, auto demotes the process, removing the auto approve functionality.
The never trust ruleset, auto demotes the process, removing the auto approve functionality.
Feedback
Yes
No
Powered by
