Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Why Image File Accessed on a USB Device Currently Being Blocked

Endpoint Standard: Why Image File Accessed on a USB Device Currently Being Blocked

Environment

  • Carbon Black Cloud Console: November '20 Release (0.60) and Higher
  • Endpoint Standard Windows Sensor: 3.6.0.1897 and Higher

Question

Why Image file accessed on a USB device currently being blocked

Answer

The image files are actually being viewed via MS Windows caching capabilities and are the result of the files being viewed or accessed prior to the Device Control policy being enforced. Windows Photo application also caches the previous and next images and may result in a similar experience for files that were not directly accessed.

Additional Notes

  • To validate this you can clear the cache and attempt to access the image or preview again.  To clear the cache manually delete the contents of 
%localappdata%\Microsoft\Windows\Explorer
  • Once the content is cleared you can return to the file and attempt to open it and you will receive the expected “Access Denied”.
  • Note: Closing or killing the explorere.exe process before deleting may be required to delete all the content

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-24-2021
Views:
213
Contributors