logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Does EDR Collect Binaries for Executables that did not Execute

EDR: Does EDR Collect Binaries for Executables that did not Execute

Environment

  • EDR Server: All Versions
  • EDR Sensor: All Versions

Question

Does the EDR sensor collect binaries from executables on the machine if they have not exectuted?

Answer

No, the sensor does not scan for inventory on the endpoint. It only listens for events happening live on the box. A malicious file can exist on the endpoint, but it will not be seen until it executes. At the time of execution the sensor will report the binary metadata and collect the physical binary for download. 

Additional Notes

  • A malicious file created by another process while the sensor is installed could be seen through a filemod search. However, since it has not executed the binary metadata on the file does not exist. Only executables are collected. 

Labels (2)
Labels:
Tags (3)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎04-03-2024
Views:
93
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.