CB Defense: MS Office Apps blocked from opening .txt and .csv files on 3.3 and above
Article ID: 290668
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- After upgrading to 3.3, observing Alerts that "The application <filename>.txt was detected running. A Terminate Policy Action was applied" or ""The application <filename>.csv was detected running. A Terminate Policy Action was applied"
- Open .txt or .csv file in Word or Excel, the app will launch and immediately exit
- If Office Apps are configured to open files in a new window i.e. "Ignore other applications" or "Ignore other applications that use Dynamic Data Exchange"
- Rollback to Sensor version 3.2 and below and .txt and .csv files will not get blocked if opened with Microsoft (MS) Office Apps
Environment
CB Defense PSC Web Console: All Versions
CB Defense Sensor: 3.3 and above
Microsoft Windows: All Versions
CB Defense Sensor: 3.3 and above
Microsoft Windows: All Versions
Cause
- In sensor version 3.2 and below applications such as Excel (excel.exe), Word (winword.exe), and Adobe Acrobat (acrord32.exe) were not being correctly identified as script hosts, so policies were not applied to the target script
- Example: .txt, .csv, and .pdf script files with UNKOWN or NOT_LISTED reputations are allowed even if a rule to deny/terminate unknown/not listed applications is configured
Resolution
- The behavior observed in 3.3 and above is working as expected since MS Office and Adobe are now properly identified as script hosts
- Some policies may need to be adjusted to ensure that files such as .txt, .csv, .dotx, .ppsx, .pptx,.xlsx, and .pdf files are allowed to perform the required action
- Alternatively, the script host files can be whitelisted or the Local Scanner may be enabled to help ensure these script host files obtain a definite reputation
Feedback
Yes
No
Powered by
