Environment
- App Control Agent: All Supported Versions
Symptoms
- Agent is enforcing Block Events with "Sill Analyzing" or "Unapproved".
- A hash is not listed in the reported Block Event, with no hyperlink for "File Details".
Cause
The Agent was unable to properly analyze the file and the Policy is configured to Block Unanalyzed Scripts and Executions. This is typically caused by latency on the endpoint; network or third party antivirus being the most common root cause.
Resolution
Additional Notes
- You can specify which blocks get suppressed depending on the reason that the files were inaccessible:
- File not existing = 0x02
- File is not interesting = 0x04
- Failed to hash file = 0x08
- Unknown open error = 0x10
- Access to file denied = 0x20
- Sharing violation = 0x40
- Other error = 0x80
- These values can be combined. For example: specifying allow_inaccessible_files=0x60 would approve both access errors and sharing violation errors.
- allow_inaccessible_files=1 includes all of the above
- Security Risk: Moderate (A malicious actor could overwrite an unknown or approved file with new content and lock the file, preventing analysis as a means of bypassing enforcement)
- Operational Risk: Net plus decrease the number of analyzed blocks
- Conflicts or Overlaps: If allow_inaccessible_files is enabled (value=1), there is no need to additionally have approve_inaccessible_files_based_on_last_known_state enabled.
- Setting the Host ID to "0" sends the configuration to all Agents, otherwise specific Host ID could be used.
Related Content