Environment

• App Control Agent: All Supported Versions

Symptoms

• Agent is enforcing Block Events with "Sill Analyzing" or "Unapproved".
• A hash is not listed in the reported Block Event, with no hyperlink for "File Details".

Cause

Resolution

1. Verify all other antivirus/security software has the Agent Exclusions correctly added.
2. Upgrade to the latest Agent version to eliminate any known issues.

1. Login to the Console and navigate to https://ServerAddress/agent_config.php > Add Agent Config:
   • Property Name: Allow Inaccessible files
   • Host ID: 0 (0 will send the config to all machines)
   • Value:

     allow_inaccessible_files=0x02

   • Status: Enabled
   • Create For: All, or only relevant Policies
   • Save the configuration change

Additional Notes

• You can specify which blocks get suppressed depending on the reason that the files were inaccessible:
  • File not existing = 0x02
  • File is not interesting = 0x04
  • Failed to hash file = 0x08
  • Unknown open error = 0x10
  • Access to file denied = 0x20
  • Sharing violation = 0x40
  • Other error = 0x80
  • These values can be combined. For example: specifying allow_inaccessible_files=0x60 would approve both access errors and sharing violation errors.
  • allow_inaccessible_files=1 includes all of the above
• Security Risk: Moderate (A malicious actor could overwrite an unknown or approved file with new content and lock the file, preventing analysis as a means of bypassing enforcement)
• Operational Risk: Net plus decrease the number of analyzed blocks
• Conflicts or Overlaps: If allow_inaccessible_files is enabled (value=1), there is no need to additionally have approve_inaccessible_files_based_on_last_known_state enabled.
• Setting the Host ID to "0" sends the configuration to all Agents, otherwise specific Host ID could be used.

Related Content