Carbon Black Cloud: How To Find Blocks In Windows Event Viewer (3.0 and below)

search cancel

Carbon Black Cloud: How To Find Blocks In Windows Event Viewer (3.0 and below)

book

Article ID: 290273

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Provide items to look for in Windows Event Viewer to identify blocks from CB Defense

Environment

CB Defense PSC Console: All Versions
CB Defense Sensor: 3.0 and below
Microsoft Windows: All Supported Versions

Resolution

Search for any of the following terms in Event Viewer

was prevented from loading the file

was prevented from accessing the file

due to a Deny operation or Terminate process policy action

was terminated due to a Deny operation or Terminate process policy action

The operation was blocked by Confer

The operation was blocked and the application terminated by Confer

The connection was reset by Confer

Additional Information

This information can also be useful if users report programs being blocked but no Events or Alerts are shown within the CB Defense PSC Console, or in troubleshooting interoperability issues with the CB Defense Sensor
The event source may be CbDefense and the Event ID: 17 for blocks
Some other event ID's referenced by CbDefense events are 1, 17, 33, 49

Feedback

thumb_up Yes

thumb_down No