PSC: Can 0 byte files be pulled via Live Response?
search cancel

PSC: Can 0 byte files be pulled via Live Response?

book

Article ID: 290496

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

If there is a file with no content (showing 0 bytes for file size), can an Admin use the GET function in a Live Response session to pull that file?

Environment

  • PSC Console: All Versions
    • CB Defense
    • CB LiveOps
    • CB ThreatHunter
  • PSC Sensor: 2.2.x.x and Higher (Linux), 3.3.0.x and Higher (Windows), 3.3.1.x and Higher (Mac)
  • Apple macOS: All Supported Versions
  • Linux: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

No. As there is no content, there is nothing to retrieve. To GET a file in Live Response, the file must be non-zero in size.

Additional Information

  • Can also be termed zero-byte or zero-length files
  • Files like this can still be deleted via Live Response