logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: How To Find Blocks In Windows Event Viewer (3.0 and below)

Carbon Black Cloud: How To Find Blocks In Windows Event Viewer (3.0 and below)

Environment

  • CB Defense PSC Console: All Versions
  • CB Defense Sensor: 3.0 and below
  • Microsoft Windows: All Supported Versions

Objective

Provide items to look for in Windows Event Viewer to identify blocks from CB Defense

Resolution

Search for any of the following terms in Event Viewer 
was prevented from loading the file

was prevented from accessing the file

due to a Deny operation or Terminate process policy action

was terminated due to a Deny operation or Terminate process policy action

The operation was blocked by Confer

The operation was blocked and the application terminated by Confer

The connection was reset by Confer

Additional Notes

  • This information can also be useful if users report programs being blocked but no Events or Alerts are shown within the CB Defense PSC Console, or in troubleshooting interoperability issues with the CB Defense Sensor
  • The event source may be CbDefense and the Event ID: 17 for blocks
  • Some other event ID's referenced by CbDefense events are 1, 17, 33, 49

Related Content


Was this article helpful? Yes No
100% helpful (3/3)
Article Information
Author:
jthoming
Creation Date:
‎10-24-2017
Views:
3769
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.