Version
Cb Defense - All Sensor Versions
Issue
You observe "repmgr" or "Cb Defense" related events get blocked without bad reputation or related policy rules.
Symptoms
Some of the actions (e.g. open the process) taken to "repmgr" or "Cb Defense" could be blocked with no obvious reason from reputation or policy rules. But it has "POLICY_DENY" or "POLICY_TERMINATE" TTPs with it.
Example
Cause
This kind of blocking actions are caused by Cb Defense sensor's built-in Tamper Protection (also known as "Self-protection"). In order to provide full protection to your systems, Cb Defense sensors will block all kinds of actions like access, modify or delete to Cb Defense related services and processes. Such blocking actions are enforced by design and will present in dashboard as a blocking event with policy action TTPs even though blocking was not actually triggered by a policy action, but by sensor's self-protection.
Solution
Since it is a normal protection feature, it's safe to ignore such blocking events if they don't affect your daily work. If they do, please Create a Case in The Community for further assistance.
Related Content
