Environment
Question
Why is there no Alert created in the console, despite the sensor receiving an alert pop up notification on the local endpoint?
Answer
- The sensor will send this event to the console, as an Event on the Investigate page, but will not create an Alert.
- The alert is not created to prevent a large amount of alerts based on READ events.
- The Sensor UI will only trigger DENY and TERMINATE notifications for reports on Process Create, File Actions, and reports on malware files scanned by the Local Scanner.
- The Sensor UI will only alert on these once per 6 hour time period.
Additional Notes
- Anytime there is pop up notification on the Local UI, you should see the relevant event on the Investigate page of the console.
- A READ event will be triggered anytime a file is accessed but not modified. So if software like backup programs, or other AV's, touch/scan the file, this will trigger the READ event. If a file/program has read permissions, and attempts to read or access a file, this will be treated as a READ event as well.
Related Content
Cb Defense: Why doesn't POLICY_DENY of KNOWN_MALWARE generate an Alert?