CB Defense: Why does the path in the command line field not match what is listed in the event?
Article ID: 290699
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Why does the path in the command line field not match what is listed in the event?
Environment
- CB Defense Console: Current Version
- CB Defense Sensor: 2.x and Higher
Resolution
The sensor could be reporting the absolute path, which in the case of mapped drives, tend to be the share path. Whereas the commandline used by the program may reference the mapped drive directly.
Additional Information
- Commandline arguments may differ depending on how a share was mapped to the system and at what point in the path it was mapped.
- Example:
- What the sensor sees and displays in the event data
- \\Company\Share\For\Data\important.csv
- What could be displayed as part of the "Commandline":
- For a drive mapped at \\Campany\Share:
- Z:\For\Data\important.csv
- Drive mapped at \\Company\Share\For\:
- Z:\Data\important.csv
- For a drive mapped at \\Campany\Share:
- What the sensor sees and displays in the event data
Feedback
Yes
No
Powered by
