Watchlists will not tag or alert on specific short-lived processes on Linux endpoints (process_name:chattr), which is supposed to be suppressed by default. However, due to a misconfiguration the 'chattr' processes were exposed for a period of time in the EEDR Carbon Black Cloud console.

• Carbon Black Cloud Console: Current Version
  • Enterprise EDR watchlists 
• Carbon Black Cloud Linux Sensor: All Supported Versions
• Linux OS: All Supported Versions

Watchlists with these specific short-lived process (i.e. 'chattr') are not working as expected because the event traffic was not being processed the same way in all subsystems.

Any EEDR watchlist reports that reference the 'chattr' process should be removed/deleted and the Carbon Black Cloud backend is being updated to re-suppress these events.