logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: A blocking rule for .msi files works for all files except for CBC sensor install msi files.

Carbon Black Cloud: A blocking rule for .msi files works for all files except for CBC sensor install msi files.

Environment

  • Carbon Black Cloud Windows Sensors:  All versions
  • Carbon Black Cloud Servers:  All versions
  • Microsoft Windows: All versions

Symptoms

Adding this policy permission does indeed block all .msi files EXCEPT CBC sensor install .msi files like "installer_vista_win7_win8-64-3.9.2.2698.msi": 
path: **\*.msi
operation attempt: runs or is running
action: terminate process

 

Cause

This scenario pertains to sensor upgrades. There is an overrideing build-in mechanism to allow for CBC sensor .msi files to run.

Resolution

There is a Feature Request (internal FR-003695) that would allow the blocking of CBC sensor install .msi files by policy.

Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎08-04-2023
Views:
506
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.