Environment
- Cb Protection Agent: All Versions
Symptoms
This is one of the agent configuration properties we recommend for unanalyzed file blocks. The most common symptom of that issue is a block occurring with no file hash present in the event in the console.
Cause
Unanalyzed file blocks occur when the agent does not have time to properly analyze a file. This is typically caused by latency on the endpoint; network or third party antivirus being the most common root cause.
Resolution
Configuration Property Listed Below:
- Property Name: Approve Inaccessible Files based on Last Known State
- Host ID: 0 For All
- Value: approve_inaccessible_files_based_on_last_known_state=1
- Status: Enabled
Additional Notes
Description: Dictates whether or not the agent will temporarily locally approve a file when unable to re-hash at time of execution when the last known hash for the file was approved. The purpose of this is to reduce the number of unanalyzed blocks.
Security Risk: Minimal/moderate (A malicious actor could overwrite an approved file with new content and lock the file, preventing analysis as a means of bypassing enforcement)
Operational Risk: Net plus decrease the number of analyzed blocks
Conflicts or Overlaps: Some overlap with allow_inaccessible_files
Related Content
