Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Why can't I delete files in a Live Response session?

Carbon Black Cloud: Why can't I delete files in a Live Response session?

Environment

  • Microsoft Windows: All Supported Versions
  • Carbon Black Cloud Sensor: 3.4.x

Question

Why am I unable to delete a read-only file in Live Response? 

The session shows the following error:

Remote error 0x80070005 - Access is denied.

Answer

The Live Response delete function leverages a Windows API which respects file flags such as ReadOnly. Failure to delete a ReadOnly file is expected behavior and the flag must be removed for Live Response to be able to delete it.

Additional Notes

As a workaround the attrib commands can be leveraged:
attrib -r [filename.ext]

Once the read-only attribute has been removed (with the command above), the Live Response built-in "delete" command can be used to remove the file.

Alternatively, the Sysinternals tool sdelete from Microsoft also allows the removal of read-only files

sdelete /r [filename.ext]

Carbon Black recommends extensive testing and special care when using powerful deletion tools like SDelete

An enhancement request has been made to add native functionality to delete read-only files, please feel free to upvote:
https://community.carbonblack.com/t5/Idea-Central/Allow-deletion-of-read-only-files-in-Live-Response...

If the error seen is like below, this indicates that an attempt has been made to delete a directory, which is not an available feature in Live Response.

Remote error 0x8007000C - The access code is invalid.

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
2978
Contributors