Endpoint Standard: Terminated process alert with TTP:Policy_Deny For An Approved File
search cancel

Endpoint Standard: Terminated process alert with TTP:Policy_Deny For An Approved File

book

Article ID: 289111

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Terminated process alert with a TTP:Policy_Deny action for a file that was approved by certificate and/or had Trusted_Allow_List for the process and parent. 

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.6.0.1941 and Lower
  • Windows OS: All Supported Versions

Cause

Typically the sensor will delay execution at time of IRP_MJ_CREATE when it sees a file being opened for execute. However, that's not guaranteed to happen if ScanNetworkDriveExecute=false is set, or the sensor could have missed seeing the open prior to ctifile loading.

Resolution

This was fixed in DSEN-11927, and affected Windows endpoints should upgrade to 3.6.0.2076 or Higher.
Powered by Wolken Software