PSC: Can 0 byte files be pulled via Live Response?
book
Article ID: 290496
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
If there is a file with no content (showing 0 bytes for file size), can an Admin use the GET function in a Live Response session to pull that file?
Environment
- PSC Console: All Versions
- CB Defense
- CB LiveOps
- CB ThreatHunter
- PSC Sensor: 2.2.x.x and Higher (Linux), 3.3.0.x and Higher (Windows), 3.3.1.x and Higher (Mac)
- Apple macOS: All Supported Versions
- Linux: All Supported Versions
- Microsoft Windows: All Supported Versions
Resolution
No. As there is no content, there is nothing to retrieve. To GET a file in Live Response, the file must be non-zero in size.
Additional Information
- Can also be termed zero-byte or zero-length files
- Files like this can still be deleted via Live Response
Feedback
thumb_up
Yes
thumb_down
No