Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Blocks In the \Windows\WinSxS\Temp\PendingDeletes and \Program Files\Windowsapps\Deleted\ Directory

App Control: Blocks In the \Windows\WinSxS\Temp\PendingDeletes and \Program Files\Windowsapps\Deleted\ Directory

Environment

  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions

Symptoms

  • Blocks in \Windows\WinSxS\Temp\PendingDeletes folder that are unhashed
  • Blocks in \Program Files\Windowsapps\Deleted\ folder that are unhashed

Cause

Due to how Windows uses this directory during Windows Update / other OS related processes , the files are already deleted by the time our agent starts analyzing it, causing us to respond with an "open file failure" and show a block.

Resolution

There are a few different ways these blocks can be dealt with:

  1. Enforce a scheduled reboot policy in the environment. Under ordinary circumstances, rebooting the device after Windows Updates will clear/prevent these blocks.
    • This is the safest method as there is no rule that can be taken advantage of.
  2. If the notifier is bothersome to end users, disabling the notifier can alleviate this burden.
    • This may cause some confusion to end users and/or technicians that are troubleshooting system/application issues.
  3. Create an execution control rule to allow the executions
    • Generally not recommended as the path processes are usually generic and could be taken advantage of.
  4. A configuration in the console can be added to allow the "open file failure" by using the below steps.
    1. Logon to the Cb Protection console and navigate to https://<CBServerName>/agent_config.php
    2. Click on + Add Agent Config
    3. Fill in the properties like below
      • Property Name: Allow Inaccessible files
      • Host ID: 0 (Having this be 0 will send to all machines)
      • Value:
        • 8.1 P2 and Higher use: allow_inaccessible_files=0x02
        • Older Agents use: allow_inaccessible_files=1
      • Status: Enabled
    4. Click Save

Additional Notes

  • The allow_inaccessible_files=0x02 configuration tells agents to allow the open file failure when the condition is "File not existing"
  • The allow_inaccessible_files=1 configuration tells agents to allow the "open file failure" for any of the below conditions:
    • File not existing 
    • File is not interesting, 
    • Failed to hash file
    • Unknown open error 
    • Access to file denied
    • Sharing violation
    • Other error

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
2406
Contributors