Unanalyzed Block Timeout for Local Files
search cancel

Unanalyzed Block Timeout for Local Files

book

Article ID: 290678

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Agent Config to adjust the analysis timeout for Local Files. This is typically beneficial when the Agent is enforcing Unanalyzed Blocks.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Cause

Unanalyzed file blocks occur when the Agent does not have time to properly analyze a file. This is typically caused by latency on the endpoint; network or third party antivirus being the most common root cause.

Resolution

  1. Verify the Agent Exclusions are present in any other antivirus/security software on the endpoint.
  2. Verify the latest version of the Agent is installed will eliminate the potential this is related to a known issue.

If the issue persists, or as directed by Support, the following workaround may resolve the issue:

  1. Log in to the Console and navigate to https://ServerAddress/agent_config.php > Add Agent Config:
    • Property Name: Increase AbMiss Timeout
    • Host ID: 0 (0 will send the config to all machines)
    • Value: 
      kernelLocalAbMissTimeout=90000
    • Status: Enabled
    • Create For: All, or only relevant Policies
  2. Click Save.

Additional Information

  • Alternatively, a new Agent Config can be created with the same Value listed above for a specific Policy or Endpoint.
  • The default value for this setting (as of 8.0) is: kernelLocalAbMissTimeout=60000
  • Description: An “abmiss” occurs when the parity driver encounters a new local file (i.e. from a fixed disk) that does not currently exist in its cache (cache miss). The driver sends a message to the agent (Parity.exe)  to collect metadata on the file (hash, signature info, file state, etc.) and update the cache. In certain cases like executions, the driver will stall the underlying operation while it waits for a response from the agent. This setting controls how long the driver will wait for a response from the agent. If the timeout period expires, the file is considered unanalyzed and the policy setting “Block unanalyzed scripts and executables” determines how to proceed with the operation (block, allow, report). The agent will continue to attempt to complete analysis of the file to determine state except in certain cases for example of the file was deleted.
  • Security Risk: Increasing the timeout is a net gain in security as the agent is allowed more time to determine file state before responding to the driver request.
  • Operational Risk: Most abmisses do not result in operations being stalled. Therefore there is little operational risk to increasing the timeout. The exception is operations on network files where you are more likely to encounter abmisses on execution which are stalled. In those cases, the user could see a delay while the driver waits for a response from the agent or the stall expires (see the next config setting).
Powered by Wolken Software