Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Why do Blocks from Rules with "Runs or is running" not Always Match Selected Deny/Terminate Action?

Endpoint Standard: Why do Blocks from Rules with "Runs or is running" not Always Match Selected Deny/Terminate Action?

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard

Question

If a Blocking and Isolation Policy Rule is configured where Operation attempt is "Runs or is running" and the Action is set to "Deny operation", why are there blocks for "Terminate process" (TTP of POLICY_TERMINATE) instead? Or if the Action is set to "Terminate process", why are there blocks for "Deny operation" (TTP of POLICY_DENY) instead?

Answer

  • "Runs or is running" is the only Operation attempt which represents more than one possible attempted action and the Sensor selects the appropriate action to take based on context
    • Runs: when an application/file/process tries to run or is invoked by another process, but is not currently running; correct action is Deny
    • Is running: binary is currently running; correct action is Terminate

Additional Notes

  • Runs or is running is the most restrictive operation attempt in terms of Blocking and Isolation rules, blocking as soon as the application/file/process either tries to run or is found to be running
  • Runs or is running is the least permissive operation attempt in terms of Permissions rules, only allowing the application/file/process to be launched/invoked by another process or to continue running

Related Content


Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎12-17-2021
Views:
144
Contributors