EDR: Why does the path contain ellipsis?
search cancel

EDR: Why does the path contain ellipsis?

book

Article ID: 290855

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

On Linux sensors, why does the recorded path include ellipsis?

Environment

  • EDR Linux Sensor: 7.0 to 7.2
  • RHEL/CentOS:  7 and 8

Resolution

For kernel module : 
When the path or command line goes beyond the max number of characters, Linux OS returns an error. 
In this case, kmod includes ellipsis (...) in the path, to inform the user space about path truncation. 
The full path can be determined using native Linux commands. Due to possible performance issues, this is not performed by the sensor.
For BPF based systems : 
The path, or command line, is limited by the number of instructions supported by BPF and validation by BPF verifier. Newer kernels support longer paths.
Essentially, the ability to support arbitrarily long paths is an OS technical limitation and the ellipses provides notification that the limit was reached.

 

Additional Information

  • Native Linux tools, like 'find', via remote access or Live Response could be used to identify the full path.
Powered by Wolken Software