Version

Cb Defense - All Sensor Versions

Issue

You observe "repmgr" or "Cb Defense" related events get blocked without bad reputation or related policy rules.

Symptoms

Some of the actions (e.g. open the process) taken to "repmgr" or "Cb Defense" could be blocked with no obvious reason from reputation or policy rules. But it has "POLICY_DENY" or "POLICY_TERMINATE" TTPs with it.

Example

Cause

This kind of blocking actions are caused by Cb Defense sensor's built-in Tamper Protection (also known as "Self-protection"). In order to provide full protection to your systems, Cb Defense sensors will block all kinds of actions like access, modify or delete to Cb Defense related services and processes. Such blocking actions are enforced by design and will present in dashboard as a blocking event with policy action TTPs even though blocking was not actually triggered by a policy action, but by sensor's self-protection.

Solution

Since it is a normal protection feature, it's safe to ignore such blocking events if they don't affect your daily work. If they do, please Create a Case in The Community​ for further assistance.

Related Content

Cb Defense: How to Find Policy Actions in Dashboard

Cb Defense: How to set up exclusions for AV products