CB Protection: Not all .msi files are discovered by the 8.1.0 agent
book
Article ID: 289155
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
.msi files run on the endpoints, but there are no events created
Global approvals for some .msi files are ignored
Environment
CB Protection Server: All Versions
CB Protection Agent: 8.1.0 through 8.1.0.3546 (Patch 2)
Cause
Some .msi headers were not being tagged as "IsInteresting" by the Yara rules when they scanned some .msi files with compound headers and other similar unique traits
Resolution
Upgrade to CB Protection Agent 8.1.4 or greater
Additional Information
In our CB Protection Agent Release Notes, we confirm that this issue was considered a defect and was fixed in the 8.1.4 Agent version
The specific defect is documented as such on page 5: EP-7302 Enhancements were made to how the agent analyzes MSI files and what MSI files the agent finds interesting.