EDR: Would directly editing a cblr*.tmp file affect audit logs?
book
Article ID: 289520
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Does editing the cblr*.tmp files on an endpoint affect the liveresponse audit logs?
Environment
- EDR Server: All Versions (formerly CB Response)
- EDR Sensor: All Versions
Resolution
No, the audit logs are generated server side and will not be affected by the .tmp files on the endpoint
Additional Information
- cblr*.tmp files will contain general output and interactions with the endpoint via Live Response
- Since these files hold the commands for LiveResponse, it is not recommended that these files be modified
- These files should automatically be deleted once a command has finished executing
Feedback
thumb_up
Yes
thumb_down
No