Cb Protection: Approve Inaccessible Files based on Last Known State
search cancel

Cb Protection: Approve Inaccessible Files based on Last Known State

book

Article ID: 290149

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

This is one of the agent configuration properties we recommend for unanalyzed file blocks. The most common symptom of that issue is a block occurring with no file hash present in the event in the console. 
 

Environment

  • Cb Protection Agent: All Versions

Cause

Unanalyzed file blocks occur when the agent does not have time to properly analyze a file. This is typically caused by latency on the endpoint; network or third party antivirus being the most common root cause.
 

Resolution

Configuration Property Listed Below: 
  1. Property Name: Approve Inaccessible Files based on Last Known State
  2. Host ID: 0 For All
  3. Value: approve_inaccessible_files_based_on_last_known_state=1
  4. Status: Enabled

Additional Information

Description: Dictates whether or not the agent will temporarily locally approve a file when unable to re-hash at time of execution when the last known hash for the file was approved. The purpose of this is to reduce the number of unanalyzed blocks.

Security Risk: Minimal/moderate (A malicious actor could overwrite an approved file with new content and lock the file, preventing analysis as a means of bypassing enforcement)

Operational Risk: Net plus decrease the number of analyzed blocks

Conflicts or Overlaps: Some overlap with allow_inaccessible_files