Endpoint Standard: Why do Blocks from Rules with "Runs or is running" not Always Match Selected Deny/Terminate Action?
book
Article ID: 290036
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
If a Blocking and Isolation Policy Rule is configured where Operation attempt is "Runs or is running" and the Action is set to "Deny operation", why are there blocks for "Terminate process" (TTP of POLICY_TERMINATE) instead? Or if the Action is set to "Terminate process", why are there blocks for "Deny operation" (TTP of POLICY_DENY) instead?
Environment
Carbon Black Cloud Console: All Versions
Endpoint Standard
Resolution
"Runs or is running" is the only Operation attempt which represents more than one possible attempted action and the Sensor selects the appropriate action to take based on context
Runs: when an application/file/process tries to run or is invoked by another process, but is not currently running; correct action is Deny
Is running: binary is currently running; correct action is Terminate
Additional Information
Runs or is running is the most restrictive operation attempt in terms of Blocking and Isolation rules, blocking as soon as the application/file/process either tries to run or is found to be running
Runs or is running is the least permissive operation attempt in terms of Permissions rules, only allowing the application/file/process to be launched/invoked by another process or to continue running