Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Execution Block (Still Analyzing) on SQL Server updater

Execution Block (Still Analyzing) on SQL Server updater

Version

All

Issue

When trying to install the patch updater for SQL server, the file is blocked with (still analyzing) subtype.

This appears to be linked to a specific file. sqlserver2012sp3-kb3072779-x64-enu.exe

Cause

Due to the size of this executable file, we are unable to complete the analysis allowing us to confirm this file is approved.

Solution

In the Carbon Black Protection Console go to the following link.

  • https://<servername>/agent_config.php
  • Filter for Value contains "kernelLocalABMissTimeout", if this does not exist, create a new config
  • Name: Unanalyzed block timeout for local files (milliseconds)
  • HostID: *
  • Value: kernelLocalABMissTimeout=120000

* Host ID should be specified. In the Console go to Assets > Computers > Select computer > "hostid= " will be in the address bar of the browser.

  • Revert the value back to kernelLocalABMissTimeout=60000 after completion.

Important Note(s)

Do not adjust any other configuration under the agent_config. Doing this can cause unexpected results.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-26-2016
Views:
1033
Contributors