Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Environment

Carbon Black Cloud Console: All Versions
Carbon Black Cloud Sensor: 3.6.0.1897 and Higher
Microsoft Windows: All Supported Versions

Symptoms

Local pop-up warnings about blocking USB Device
Policy has "USB Device Blocking" > "Block access to all unapproved USB devices" ticked/enabled on Prevention tab
USB Device blocking does not appear to work (able to copy files to/from USB without actual blocks)

Cause

Policy has Permissions rule for winlogon.exe

Applications at path: C:\Windows\System32\winlogon.exe
Operation Attempt: Performs any operation
Action: Bypass

Resolution

Remove any configured "Performs any operation > Bypass" Permissions rules referencing winlogon.exe (or any other core Windows processes associated with interactive user sessions)
Reboot Endpoint to clear memory of Permissions rule

Additional Notes

The Permissions rule called out above for winlogon.exe grants the same permission to all other processes in the process tree of winlogon.exe
Permissions rules using "Performs any operation > Bypass" require a system reboot to fully remove the rule from the Sensor

Related Content

Carbon Black Cloud: What are the differences between API Bypass and Full Bypass
Device Control For USB Storage Devices Now Available in Endpoint Standard
Device Control: How To Block USB Devices

Article Information

Author:

Creation Date:

‎10-13-2021

Views:

1087

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.