Troubleshooting Unanalyzed Blocks
search cancel

Troubleshooting Unanalyzed Blocks

book

Article ID: 286757

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Agent is enforcing Block Events similar to:

File 'C:\Program Files (x86)\AcmeAccounting\acme.exe' [] was blocked because the Agent did not have time to analyze it.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Cause

Unanalyzed file blocks occur when the Agent does not have time to properly analyze a file. This is typically caused by latency on the endpoint; network or third party antivirus being the most common root cause.

Resolution

  1. Verify the Agent Exclusions are present in any other antivirus/security software on the endpoint.
    • Sharing Violations are one of the most common culprits for Unanalyzed Blocks.
  2. Verify the latest version of the Agent is installed to eliminate the potential this is related to a known issue.

If the issue persists:

  1. Recreate the issue while capturing the Agent Performance Logs.
  2. Open a case with Support and include:
    • How the issue is recreated.
    • The logs captured.
    • Screenshots of any relevant Custom Rules/Updaters/Rapid Configs.
    • Whether the environment is virtualized (persistent/non-persistent) or physical.

Additional Information

Depending on the type of Unanalyzed Block, one or more of the following Agent Configs may alleviate the issue: