Environment
- App Control Server: All Supported Versions
- App Control Agent: All Supported Versions
Symptoms
- Blocks in \Windows\WinSxS\Temp\PendingDeletes folder that are unhashed
- Blocks in \Program Files\Windowsapps\Deleted\ folder that are unhashed
Cause
Due to how Windows uses this directory during Windows Update / other OS related processes , the files are already deleted by the time our agent starts analyzing it, causing us to respond with an "open file failure" and show a block.
Resolution
There are a few different ways these blocks can be dealt with:
- Enforce a scheduled reboot policy in the environment. Under ordinary circumstances, rebooting the device after Windows Updates will clear/prevent these blocks.
- This is the safest method as there is no rule that can be taken advantage of.
- If the notifier is bothersome to end users, disabling the notifier can alleviate this burden.
- This may cause some confusion to end users and/or technicians that are troubleshooting system/application issues.
- Create an execution control rule to allow the executions
- Generally not recommended as the path processes are usually generic and could be taken advantage of.
- A configuration in the console can be added to allow the "open file failure" by using the below steps.
- Logon to the Cb Protection console and navigate to https://<CBServerName>/agent_config.php
- Click on + Add Agent Config
- Fill in the properties like below
- Property Name: Allow Inaccessible files
- Host ID: 0 (Having this be 0 will send to all machines)
- Value:
- 8.1 P2 and Higher use: allow_inaccessible_files=0x02
- Older Agents use: allow_inaccessible_files=1
- Status: Enabled
- Click Save
Additional Notes
- The allow_inaccessible_files=0x02 configuration tells agents to allow the open file failure when the condition is "File not existing"
- The allow_inaccessible_files=1 configuration tells agents to allow the "open file failure" for any of the below conditions:
- File not existing
- File is not interesting,
- Failed to hash file
- Unknown open error
- Access to file denied
- Sharing violation
- Other error
Related Content