Endpoint Standard: Why do Blocks from Rules with "Runs or is running" not Always Match Selected Deny/Terminate Action?
Article ID: 290036
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
If a Blocking and Isolation Policy Rule is configured where Operation attempt is "Runs or is running" and the Action is set to "Deny operation", why are there blocks for "Terminate process" (TTP of POLICY_TERMINATE) instead? Or if the Action is set to "Terminate process", why are there blocks for "Deny operation" (TTP of POLICY_DENY) instead?
Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard
Resolution
- "Runs or is running" is the only Operation attempt which represents more than one possible attempted action and the Sensor selects the appropriate action to take based on context
- Runs: when an application/file/process tries to run or is invoked by another process, but is not currently running; correct action is Deny
- Is running: binary is currently running; correct action is Terminate
Additional Information
- Runs or is running is the most restrictive operation attempt in terms of Blocking and Isolation rules, blocking as soon as the application/file/process either tries to run or is found to be running
- Runs or is running is the least permissive operation attempt in terms of Permissions rules, only allowing the application/file/process to be launched/invoked by another process or to continue running
Feedback
Yes
No
Powered by
