Environment

• App Control Server: All Supported Versions
• App Control Agent: All Supported Versions

Symptoms

• Blocks in \Windows\WinSxS\Temp\PendingDeletes folder that are unhashed
• Blocks in \Program Files\Windowsapps\Deleted\ folder that are unhashed

Cause

Resolution

There are a few different ways these blocks can be dealt with:

1. Enforce a scheduled reboot policy in the environment. Under ordinary circumstances, rebooting the device after Windows Updates will clear/prevent these blocks.
   • This is the safest method as there is no rule that can be taken advantage of.
2. If the notifier is bothersome to end users, disabling the notifier can alleviate this burden.
   • This may cause some confusion to end users and/or technicians that are troubleshooting system/application issues.
3. Create an execution control rule to allow the executions
   • Generally not recommended as the path processes are usually generic and could be taken advantage of.
4. A configuration in the console can be added to allow the "open file failure" by using the below steps.
   1. Logon to the Cb Protection console and navigate to https://<CBServerName>/agent_config.php
   2. Click on + Add Agent Config
   3. Fill in the properties like below
      • Property Name: Allow Inaccessible files
      • Host ID: 0 (Having this be 0 will send to all machines)
      • Value:
        • 8.1 P2 and Higher use: allow_inaccessible_files=0x02
        • Older Agents use: allow_inaccessible_files=1
      • Status: Enabled
   4. Click Save

Additional Notes

• The allow_inaccessible_files=0x02 configuration tells agents to allow the open file failure when the condition is "File not existing"
• The allow_inaccessible_files=1 configuration tells agents to allow the "open file failure" for any of the below conditions:
  • File not existing 
  • File is not interesting, 
  • Failed to hash file
  • Unknown open error 
  • Access to file denied
  • Sharing violation
  • Other error

Related Content