Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Can Already Running Processes be Ingress Filtered?

EDR: Can Already Running Processes be Ingress Filtered?

Environment

  • EDR Server: All Versions

Question

Can an already running process be filtered by an ingress filter? 

Answer

No, an already running process GUID has been added to a cache as a "non-filter" to enhance performance and will continue to be allowed. 

Additional Notes

  • For on-prem customers a restart of cb-datastore service will clear the cache and can be built up. 
  • When using descendent filtering, if a process is filtered and does not do anything new to be added to the cleared cache, the descendents will continue to be not be filtered. 
  • CB-37587 has been created to enhance the ingress filter by clearing the cache to reset any matches that are listed as 'non-filtered' previously.

 

Labels (2)
Tags (4)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-29-2021
Views:
414
Contributors