Carbon Black Cloud: Blocking of USB Devices fails with Permissions rule for winlogon.exe
search cancel

Carbon Black Cloud: Blocking of USB Devices fails with Permissions rule for winlogon.exe

book

Article ID: 289748

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Local pop-up warnings about blocking USB Device
  • Policy has "USB Device Blocking" > "Block access to all unapproved USB devices" ticked/enabled on Prevention tab
  • USB Device blocking does not appear to work (able to copy files to/from USB without actual blocks)

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.6.0.1897 and Higher
  • Microsoft Windows: All Supported Versions

Cause

Policy has Permissions rule for winlogon.exe 
Applications at path: C:\Windows\System32\winlogon.exe
Operation Attempt: Performs any operation
Action: Bypass

Resolution

  1. Remove any configured "Performs any operation > Bypass" Permissions rules referencing winlogon.exe (or any other core Windows processes associated with interactive user sessions)
  2. Reboot Endpoint to clear memory of Permissions rule

Additional Information

  • The Permissions rule called out above for winlogon.exe grants the same permission to all other processes in the process tree of winlogon.exe
  • Permissions rules using "Performs any operation > Bypass" require a system reboot to fully remove the rule from the Sensor
Powered by Wolken Software