Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: TTP ACCESS_EMAIL_DATA attached to all Alerts where edb files are accessed

Cb Defense: TTP ACCESS_EMAIL_DATA attached to all Alerts where edb files are accessed

Environment

  • Cb Defense PSC Console: All Versions
  • Cb Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Question

Why does Cb Defense generate Alert "[filename] accesses files containing user data." with TTP ACCESS_EMAIL_DATA every time that non email related edb files are accessed?
The application C:\Windows\System32\taskhost.exe attempted to access the Email file "C:\Users\<username>\AppData\Local\Microsoft\Internet Explorer\Indexed DB\temp.edb"

Answer

Exchange does use .edb database files to store email data, but Windows also uses the .edb file format for advanced indexed storage technology also known as Extensible Storage Engine (ESE). However, currently the Cb Defense Analytics Engine will identify all .edb files as email files.

Additional Notes

The .edb file extensions may contain sensitive information even if it is not email related, so in the future Carbon Black plans to remove the ACCESS_EMAIL_DATA TTP attached to edb related Alerts replace it with a TTP which would be more specific/accurate. This article will be updated when that change has been implemented.

Related Content


Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎02-09-2018
Views:
409
Contributors