Carbon Black Cloud: Why can't I delete files in a Live Response session?
search cancel

Carbon Black Cloud: Why can't I delete files in a Live Response session?

book

Article ID: 289924

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Why am I unable to delete a read-only file in Live Response? 

The session shows the following error:

Remote error 0x80070005 - Access is denied.

Environment

  • Microsoft Windows: All Supported Versions
  • Carbon Black Cloud Sensor: 3.4.x

Resolution

The Live Response delete function leverages a Windows API which respects file flags such as ReadOnly. Failure to delete a ReadOnly file is expected behavior and the flag must be removed for Live Response to be able to delete it.

Additional Information

As a workaround the attrib commands can be leveraged:
attrib -r [filename.ext]

Once the read-only attribute has been removed (with the command above), the Live Response built-in "delete" command can be used to remove the file.

Alternatively, the Sysinternals tool sdelete from Microsoft also allows the removal of read-only files

sdelete /r [filename.ext]

Carbon Black recommends extensive testing and special care when using powerful deletion tools like SDelete

An enhancement request has been made to add native functionality to delete read-only files, please feel free to upvote:
https://community.carbonblack.com/t5/Idea-Central/Allow-deletion-of-read-only-files-in-Live-Response-sessions/idi-p/80808

If the error seen is like below, this indicates that an attempt has been made to delete a directory, which is not an available feature in Live Response.

Remote error 0x8007000C - The access code is invalid.