Environment
- App Control (formerly CB Protection) Agent: All Supported Versions
Symptoms
This is one of the agent configuration properties we recommend for unanalyzed file blocks. The most common symptom of that issue is a block occurring with no file hash present in the event in the console.
Cause
Unanalyzed file blocks occur when the agent does not have time to properly analyze a file. This is typically caused by latency on the endpoint; network or third party antivirus being the most common root cause.
Resolution
Configuration Property Listed Below:
- Property Name: Allow Deleted Files for Analysis
- Host ID: 0 For All
- Value: kernelAllowDeletedFiles=1
- Status: Enabled
Additional Notes
- To add an agent config follow this article
- If an abmiss check found that the file does not exist (has been deleted before the agent could hash the file) and the operation is an open or create of a script file, if kernelAllowDeletedFiles is set to true (1), the driver will allow the operation and let the OS handle the missing file situation.
- Note that the driver considers an “open” operation on a script file as an execute.
- Security Risk: Low
- Operational Risk: Low to none.
Related Content
