Endpoint Standard: Why Image File Accessed on a USB Device Currently Being Blocked
book
Article ID: 289629
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
In a situation where an endpoint currently enforcing device control blocking policy is able to still open an image file or be able to preview files via windows explorers Preview functionality. This may appear that the Carbon Black Cloud sensor is not properly enforcing the block policy.
Environment
Carbon Black Cloud Console: November '20 Release (0.60) and Higher
Endpoint Standard Windows Sensor: 3.6.0.1897 and Higher
Cause
The image files are actually being viewed via MS Windows caching capabilities and are the result of the files being viewed or accessed prior to the Device Control policy being enforced. Windows Photo application also caches the previous and next images and may result in a similar experience for files that were not directly accessed.
Resolution
To fix this clear the cache and attempt to access the image or preview again. To clear the cache manually delete the contents of the below mentioned path:
%localappdata%\Microsoft\Windows\Explorer
Once the content is cleared, return to the file and attempt to open it and the “Access Denied" message will be received as expected.
Additional Information
Closing or killing the explorere.exe process before deleting may be required to delete all the content.