Endpoint Standard: An Action Gets Blocked When Reading Security Data
Article ID: 291346
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- A block alert appears with the TTP read_security_data and may contain the text below:
"The application "Application Name" read memory from a system security process (lsass.exe). This may have included user credential or password information."
- The Application has a reputation other than Not_Listed or Unknown
Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard Windows Sensor: All Versions
Cause
There is a hidden rule that the sensor will block memory scrapes against lsass.exe
Resolution
If this behavior is needed a permissions rule can be created on the blocked application path to allow "Scrapes memory of another process"
Please refer to this document to create a permissions rule if needed
Please refer to this document to create a permissions rule if needed
Additional Information
These blocks can occur without a block rule being added to the policy
Feedback
Yes
No
Powered by
