Endpoint Standard: Terminated process alert with TTP:Policy_Deny For An Approved File
book
Article ID: 289111
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Terminated process alert with a TTP:Policy_Deny action for a file that was approved by certificate and/or had Trusted_Allow_List for the process and parent.
Environment
Carbon Black Cloud Console: All Versions
Carbon Black Cloud Sensor: 3.6.0.1941 and Lower
Windows OS: All Supported Versions
Cause
Typically the sensor will delay execution at time of IRP_MJ_CREATE when it sees a file being opened for execute. However, that's not guaranteed to happen if ScanNetworkDriveExecute=false is set, or the sensor could have missed seeing the open prior to ctifile loading.
Resolution
This was fixed in DSEN-11927, and affected Windows endpoints should upgrade to 3.6.0.2076 or Higher.