Environment
- Cb Defense PSC Console: All Versions
- Cb Defense Sensor: All Versions
- Microsoft Windows: All Supported Versions
Question
Why does Cb Defense generate Alert "[filename] accesses files containing user data." with TTP ACCESS_EMAIL_DATA every time that non email related edb files are accessed?
The application C:\Windows\System32\taskhost.exe attempted to access the Email file "C:\Users\<username>\AppData\Local\Microsoft\Internet Explorer\Indexed DB\temp.edb"
Answer
Exchange does use .edb database files to store email data, but Windows also uses the .edb file format for advanced indexed storage technology also known as Extensible Storage Engine (ESE). However, currently the Cb Defense Analytics Engine will identify all .edb files as email files.
Additional Notes
The .edb file extensions may contain sensitive information even if it is not email related, so in the future Carbon Black plans to remove the ACCESS_EMAIL_DATA TTP attached to edb related Alerts replace it with a TTP which would be more specific/accurate. This article will be updated when that change has been implemented.
Related Content