CB Protection: Not all .msi files are discovered by the 8.1.0 agent
search cancel

CB Protection: Not all .msi files are discovered by the 8.1.0 agent

book

Article ID: 289155

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • .msi files run on the endpoints, but there are no events created
  • Global approvals for some .msi files are ignored

Environment

  • CB Protection Server: All Versions
  • CB Protection Agent: 8.1.0 through 8.1.0.3546 (Patch 2)

Cause

Some .msi headers were not being tagged as "IsInteresting" by the Yara rules when they scanned some .msi files with compound headers and other similar unique traits
 

Resolution

  1. Upgrade to CB Protection Agent 8.1.4 or greater

Additional Information

  • In our CB Protection Agent Release Notes, we confirm that this issue was considered a defect and was fixed in the 8.1.4 Agent version
  • The specific defect is documented as such on page 5: EP-7302 Enhancements were made to how the agent analyzes MSI files and what MSI files the agent finds interesting.
Powered by Wolken Software