CB Response: Zero matching console events for SEP (Symantec) AV malicious file status change alert
book
Article ID: 289087
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
SEP AV Product generates an alert to notify that a file has been marked as malicious
No events for this file exist on the CB Response console during the time of the alert.
Environment
CB Response Server: All Versions
CB Response Sensor: All Versions
SEP (Symantec) Anti-Virus agent
Cause
The SEP alert shows that a scan happened and the malicious status of the file was updated based on metadata from the file.
Resolution
This is normal and happens to files regularly without them ever getting executed, modified or loaded. CB Response Sensor will track files that are actively loaded and performing some action; however, if there is no change, delete, or execution action, there will be no events created by the sensor.