Endpoint Standard: Company approved DLL blocked when executed from network drive
Article ID: 289762
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- Approved (whitelisted) files executed from a network drive are blocked
- "ScanNetworkDriveExecute" is disabled in sensor policy
Environment
- Carbon Black Cloud Console: All Supported Versions
- Endpoint Standard Sensor: All Supported Versions
Cause
The sensor blocks events while the reputation is still being resolved.
Resolution
- Enable "ScanNetworkDriveExecute" so the sensor caches the reputation
- If unable to allow network scans, a config change can be made in 3.6.0.2076 and above sensor versions to trust resolving files. Contact Support for assistance
- WARNING: Trusting a resolving file could result in a malicious file executing until a reputation is resolved
Additional Information
- When network scanning on the sensor is disabled, files from network drive are not cached. So each time the file is executed off a shared drive, the reputation must be recaptured.
- Troubleshooting is best done on sensors running 3.6.0.2076 and higher due to improved logging.
Feedback
Yes
No
Powered by
