App Control: File Locking on Appdata\Temp\Expression_Host DLL
Article ID: 288760
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
File locking on a randomly generated and randomly named file matching:
C:\users\<USERNAME>\Appdata\Local\Temp\expression_host_*.dll
Environment
- App Control Agent: 8.1.8 and Lower
- Microsoft Window: All Supported Versions
Cause
This is caused by a temporary sharing violation on the analysis during write, of the DLL during the hashing process.
Resolution
Sharing violations are significantly reduced on agent versions 8.1.10 and higher. An upgrade the most recent release is recommended.
If upgrade is not possible, a work around can be applied to ignore the write of the DLL. This allows the hashing to take place further in the chain, when the execution of the DLL takes place. Enter a custom rule below:
Rule Type
If upgrade is not possible, a work around can be applied to ignore the write of the DLL. This allows the hashing to take place further in the chain, when the execution of the DLL takes place. Enter a custom rule below:
Rule Type
Performance OptimizationTarget File or Path
C:\Users\*\AppData\Local\Temp\expression_*.dllTarget Process
vbc.exePolicy
If possible only select the policy, with the device effected
Additional Information
The work around above, does reduce visibility to DLL matching the name, written to that directory. Please review, and approve with your security team.
Feedback
Yes
No
Powered by
