App Control: Blocked File Shows DiscoveredBy[Kernel:Execute]
Article ID: 291177
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
- Blocked file event shows DiscoveredBy[Kernel:Execute] in the description
- File was expected to be approved on write
Environment
- App Control: All Supported Versions
Cause
- DiscoveredBy[Kernel:Execute] means the file was not discovered during initial creation, rather during the execution.
- Because of this, a File Creation Control Rule will not be effective.
Resolution
Some actions to take to ensure the file is approved as desired:
- Ensure there isn't a PO (performance optimization) rule in place ignoring the initial file creation
- Use an Execution Control > Allow rule to allow the file to execute when needed
- Approve the file based on publisher if available
Additional Information
- This is more likely to happen on files that are created and immediately executed
- Script files which aren't executables files may also show this behavior as it wasn't an interesting file until ran by an interpreter
Feedback
Yes
No
Powered by
