cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
IMPORTANT: Currently some Knowledge Base content may be unavailable. We are working diligently to restore these articles and appreciate your patience.

Enterprise EDR: Investigate filemod count shows zero results despite known filemods in event

Enterprise EDR: Investigate filemod count shows zero results despite known filemods in event

Environment

  • Enterprise EDR Console: .55 (formerly CB ThreatHunter
  • Enterprise EDR Sensor: 3.5
  • Microsoft Windows: All Supported Versions

Symptoms

  • Searching for filemod_name returns events that show a count of 0 Filemods
  • Process Analysis of the returned event shows filemods

Cause

Unknown

Resolution

If seeing this behavior, reproduce the event with the filemods on the endpoint with the following
  1. Save the following as a text file on the endpoint to retain Enterprise EDR events:
{
"Version": "1.0",
"ConfigProps":
[

{ "Name": "PscEventBatchKeepLocalCopy", "Data": "True" }
]
}
  1. Unlock the sensor enable changing policy:
repcli unlock <uninstall-code>
  1. Load the new file as a policy
repcli addpolicy psc <full-path-to-text-file>
  1. Re-create the problem event
  2. Open C:\ProgramData\CarbonBlack\Events\Archives\ in explorer
  3. Wait for two more .zip files to appear in this directory
  4. Edit the text file to change the Data "True" value in the text file to "False"
{
"Version": "1.0",
"ConfigProps":
[
{ "Name": "PscEventBatchKeepLocalCopy", "Data": "False" }
]
}
  1. Load the changed file as a policy, to turn revert changes
repcli addpolicy psc <full-path-to-text-file>
  1. Capture the sensor logs and .zip files in C:\ProgramData\CarbonBlack\Events\Archives\
  2. Attach captured files to a case with Support

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
30