Cannot Delete User Profile
Article ID: 291471
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- When attempting to delete a user profile using the System ~ User Profiles dialog box an error message is displayed "Profile not deleted completely. Error - The RPC Server is unavailable"
- Profile can be deleted with the sensor in bypass
- A lot of alerts are created with policy deny and ransomware messages or the following
svchost.exe attempted to perform ransomware behavior. A Terminate policy action was applied.
Environment
- Endpoint Standard Sensor: 3.x and Higher
- Microsoft Windows: All Supported Versions
Cause
A setting in the policy is blocking ransomware-like behavior from the services removing the account (svchost.exe)
Resolution
- The blocking policy will need to be refined to allow the user files to be deleted
- Event Reporting and Sensor Operation Exclusions can be refined to allow specific processes and cmdlines to be ran
- Setting the sensor to bypass will allow the user to be removed
Additional Information
- A terminate policy for ** performs ransomware-like behavior will block any processes touching canary files including deleting a user account
- This is normally setup due to ransomware protection rules
Feedback
Yes
No
Powered by
