Environment
- Enterprise EDR Console: .55 (formerly CB ThreatHunter
- Enterprise EDR Sensor: 3.5
- Microsoft Windows: All Supported Versions
Symptoms
- Searching for filemod_name returns events that show a count of 0 Filemods
- Process Analysis of the returned event shows filemods
Cause
Unknown
Resolution
If seeing this behavior, reproduce the event with the filemods on the endpoint with the following
- Save the following as a text file on the endpoint to retain Enterprise EDR events:
{
"Version": "1.0",
"ConfigProps":
[
{ "Name": "PscEventBatchKeepLocalCopy", "Data": "True" }
]
}
- Unlock the sensor enable changing policy:
repcli unlock <uninstall-code>
- Load the new file as a policy
repcli addpolicy psc <full-path-to-text-file>
- Re-create the problem event
- Open C:\ProgramData\CarbonBlack\Events\Archives\ in explorer
- Wait for two more .zip files to appear in this directory
- Edit the text file to change the Data "True" value in the text file to "False"
{
"Version": "1.0",
"ConfigProps":
[
{ "Name": "PscEventBatchKeepLocalCopy", "Data": "False" }
]
}
- Load the changed file as a policy, to turn revert changes
repcli addpolicy psc <full-path-to-text-file>
- Capture the sensor logs and .zip files in C:\ProgramData\CarbonBlack\Events\Archives\
- Attach captured files to a case with Support
Related Content