Environment
- Endpoint Standard Sensor: All versions
- Microsoft Windows: All Supported Versions
Symptoms
- Network files being scanned despite "Scan files on network drives" setting being disabled
- Policy is configured with "Scan execute on network drives" enabled and "Scan files on network drives" disabled
Cause
- Browsing in explorer often does trigger execute and hence the files are scanned.
- Windows API for extracting file resource and icons relies on calling LoadLibraryExW w/ LOAD_LIBRARY_AS_DATAFILE argument in order to map the PE file into memory to extract the resources.
- Even though no process was created by double clicking the resource, just browsing in explorer does often trigger "executions"
- Content opened with execute access will trigger policy enforcement.
- Browsing in cmd.exe/powershell.exe wouldn't exhibit that behavior.
Resolution
This is an expected behavior