App Control: How Resolve Executions Allowed By "File Loaded before service"
Article ID: 289363
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Seeing Execution Allowed Events with "File loaded before service" and "inactive"
Environment
- App Control: 7.2.x and Higher
Cause
This happens if the file was already loaded or executes, before the Agent service has started
Resolution
- Enabling bans to stop running processes can prevent this.
- This feature can enforce bans by kernel driver and terminate processes with banned images before service starts.
- Details on enabling this capability are available in Chapter 8 of the User Guide under section Enabling Bans to Stop Running Processes.
- The way active banning works is that periodically the Parity driver checks all running programs and loaded images.
- if it finds something running that has been banned and active banning is enabled, it will actually kill the process.
- Caution is required if considering turning this on as it can crash the system if a banned image happens to be loaded into a service that is vital for the OS to remain running, it will still kill it.
Feedback
Yes
No
Powered by
