Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Bit9 agent in Disable mode policy still has I/O activity

Bit9 agent in Disable mode policy still has I/O activity

Version

All

 

Issue

Bit9 agent in Disable mode policy still has I/O activity.

 

Symptoms

Procmon shows I/O activities for parity.exe process.

 

Cause

Normal behavior.

 

Solution

Verify on procmon that there are I/O activities too on different applications.

 

A Bit9 agent in Disabled mode continues to monitor, but not report to the Bit9 server, certain operations to avoid gaps in file and process information if the Bit9 agent is later brought back into an active enforcement mode. This normally requires a very minimal amount of resources on the endpoint, although if an extremely large number of writes are performed on the machine by other application, which the Bit9 agent will monitor, the impact (I/O) may be noticeable.

 

Disabled policy agent still get a minimum of file information, such as hashes. The Disable mode Bit9 agent is not 100% dormant agent. It is still monitoring the machine for activity but not enforce the rules.

Labels (1)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎08-18-2015
Views:
858
Contributors