logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Why does the path contain ellipsis?

EDR: Why does the path contain ellipsis?

Environment

  • EDR Linux Sensor: 7.0 to 7.2
  • RHEL/CentOS:  7 and 8

Question

On Linux sensors, why does the recorded path include ellipsis?

Answer

For kernel module : 
When the path or command line goes beyond the max number of characters, Linux OS returns an error. 
In this case, kmod includes ellipsis (...) in the path, to inform the user space about path truncation. 
The full path can be determined using native Linux commands. Due to possible performance issues, this is not performed by the sensor.
For BPF based systems : 
The path, or command line, is limited by the number of instructions supported by BPF and validation by BPF verifier. Newer kernels support longer paths.
Essentially, the ability to support arbitrarily long paths is an OS technical limitation and the ellipses provides notification that the limit was reached.

 

Additional Notes

  • Native Linux tools, like 'find', via remote access or Live Response could be used to identify the full path.

Labels (2)
Labels:
Tags (3)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎10-04-2023
Views:
206
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.