Environment
- App Control Agent: All Supported Versions
- App Control Console: All Supported Versions
Symptoms
Agent is enforcing Block Events similar to:
File 'C:\Program Files (x86)\AcmeAccounting\acme.exe' [03748...43B60] was blocked because the Agent did not have time to analyze it.
Cause
Unanalyzed file blocks occur when the Agent does not have time to properly analyze a file. This is typically caused by an interoperability issue, latency on the endpoint, or on the network.
Resolution
- Having proper antivirus exclusions (Windows, macOS, Linux) can prevent these types of Block Events:
- Verifying the latest version of the Agent is installed will eliminate the potential this is related to a known issue.
- If the issue persists, adjust the kernelLocalAbMissTimeout:
- Log in to the Console and navigate to https:/ /ServerAddress/agent_config.php
- Add a Filter > Value > contains: kernelLocalAbMissTimeout
- Edit the resulting Agent Config accordingly:
- Status: Enabled
- Value: kernelLocalAbMissTimeout=90000
- Click Save
Additional Notes
- Alternatively, a new Agent Config can be created with the same Value listed above for a specific Policy or Endpoint.
- The default value for this setting (as of 8.0) is: kernelLocalAbMissTimeout=90000
- Description: An “abmiss” occurs when the parity driver encounters a new local file (i.e. from a fixed disk) that does not currently exist in its cache (cache miss). The driver sends a message to the agent (Parity.exe) to collect metadata on the file (hash, signature info, file state, etc.) and update the cache. In certain cases like executions, the driver will stall the underlying operation while it waits for a response from the agent. This setting controls how long the driver will wait for a response from the agent. If the timeout period expires, the file is considered unanalyzed and the policy setting “Block unanalyzed scripts and executables” determines how to proceed with the operation (block, allow, report). The agent will continue to attempt to complete analysis of the file to determine state except in certain cases for example of the file was deleted.
- Security Risk: Increasing the timeout is a net gain in security as the agent is allowed more time to determine file state before responding to the driver request.
- Operational Risk: Most abmisses do not result in operations being stalled. Therefore there is little operational risk to increasing the timeout. The exception is operations on network files where you are more likely to encounter abmisses on execution which are stalled. In those cases, the user could see a delay while the driver waits for a response from the agent or the stall expires (see the next config setting).
Related Content
