Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

App Control: All Supported Versions

Symptoms

Blocked file event shows DiscoveredBy[Kernel:Execute] in the description
File was expected to be approved on write

Cause

DiscoveredBy[Kernel:Execute] means the file was not discovered during initial creation, rather during the execution.
Because of this, a File Creation Control Rule will not be effective.

Resolution

Some actions to take to ensure the file is approved as desired:

Ensure there isn't a PO (performance optimization) rule in place ignoring the initial file creation
Use an Execution Control > Allow rule to allow the file to execute when needed
Approve the file based on publisher if available

Additional Notes

This is more likely to happen on files that are created and immediately executed
Script files which aren't executables files may also show this behavior as it wasn't an interesting file until ran by an interpreter

Related Content

App Control: How to Setup a Performance Optimization Rule to Ignore Directory Writes

Article Information

Author:

Creation Date:

‎08-26-2021

Views:

337

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.