CB Response: Zero matching console events for SEP (Symantec) AV malicious file status change alert
search cancel

CB Response: Zero matching console events for SEP (Symantec) AV malicious file status change alert

book

Article ID: 289087

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • SEP AV Product generates an alert to notify that a file has been marked as malicious
  • No events for this file exist on the CB Response console during the time of the alert.

Environment

  • CB Response Server: All Versions
  • CB Response Sensor: All Versions
  • SEP (Symantec) Anti-Virus agent

Cause

The SEP alert shows that a scan happened and the malicious status of the file was updated based on metadata from the file.

Resolution

This is normal and happens to files regularly without them ever getting executed, modified or loaded. CB Response Sensor will track files that are actively loaded and performing some action; however, if there is no change, delete, or execution action, there will be no events created by the sensor.
Powered by Wolken Software