Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 3.6.0.1941 and Lower
- Windows OS: All Supported Versions
Symptoms
Terminated process alert with a TTP:Policy_Deny action for a file that was approved by certificate and/or had Trusted_Allow_List for the process and parent.
Cause
Typically the sensor will delay execution at time of IRP_MJ_CREATE when it sees a file being opened for execute. However, that's not guaranteed to happen if ScanNetworkDriveExecute=false is set, or the sensor could have missed seeing the open prior to ctifile loading.
Resolution
This was fixed in DSEN-11927, and affected Windows endpoints should upgrade to 3.6.0.2076 or Higher.