Per-user Custom Rules Not Working as Expected
search cancel

Per-user Custom Rules Not Working as Expected

book

Article ID: 368285

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

The Agent is associating the file operation with a different/remote user rather than the one reported to the Console.

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: 8.9.0 and higher
  • Microsoft Windows: All Supported Versions

Cause

The Agent is associating the file operation with a different/remote user rather than the user reported in the Event. This issue is being tracked under CRE-17869 and will be addressed in a future release.

Resolution

Currently, the temporary workaround is to disable the Thread Identity checking feature:

  1. Log in to the Console and navigate to https://ServerAddress/agent_config.php
  2. Click Add Agent Config and use the following details:
    • Name: TMP - Disable Thread Identity (CRE-17869)
    • Host ID: 0 (Use 0 for all, or specify ID of relevant machine)
    • Value: kernelCheckThreadIdentity=0
    • Platform: Windows
    • Status: Enabled
    • Create For: Selected Policies > Relevant Policies
  3. Click Save

Additional Information

  • Prior to version 8.9.0, Agents only checked the User identity (SID) of running processes, but not of individual process threads.
  • Agent 8.9.0 adds the ability to check the User identity (SID) of a process thread, which is more granular and secure.
  • kernelCheckThreadIdentity=0 will disable this new Thread Identity check functionality, and the Agent will fall back to doing Process Identity checks (which was the behavior prior to 8.9.0).
Powered by Wolken Software