Environment
- Microsoft Windows: All Supported Versions
- Carbon Black Cloud Sensor: 3.4.x
Question
Why am I unable to delete a read-only file in Live Response?
The session shows the following error:
Remote error 0x80070005 - Access is denied.
Answer
The Live Response delete function leverages a Windows API which respects file flags such as ReadOnly. Failure to delete a ReadOnly file is expected behavior and the flag must be removed for Live Response to be able to delete it.
Additional Notes
As a workaround the attrib commands can be leveraged:
attrib -r [filename.ext]
Once the read-only attribute has been removed (with the command above), the Live Response built-in "delete" command can be used to remove the file.
Alternatively, the Sysinternals tool sdelete from Microsoft also allows the removal of read-only files
sdelete /r [filename.ext]
Carbon Black recommends extensive testing and special care when using powerful deletion tools like SDelete
An enhancement request has been made to add native functionality to delete read-only files, please feel free to upvote:
https://community.carbonblack.com/t5/Idea-Central/Allow-deletion-of-read-only-files-in-Live-Response...
If the error seen is like below, this indicates that an attempt has been made to delete a directory, which is not an available feature in Live Response.
| Remote error 0x8007000C - The access code is invalid. |
Related Content
