Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard Sensor: All Versions
- Microsoft Windows: All Supported Versions
- Apple macOS: All Supported Versions
Question
Will there be any security impact to devices if "Scan execute on network drives" is disabled by policy?
Answer
- The sensor will not stall file execution while waiting for the Carbon Black Cloud to return a reputation, so the sensor may allow the file to execute based on the reputation obtained by the Local Scanner (if enabled)
- Once a reputation is obtained from the Carbon Black Cloud, file reputation will be updated and policy rules will apply accordingly
Additional Notes
- If "Scan execute files on network drives" is disabled in the policy then the sensor will not check the cloud reputation for that file until it attempts to execute
- The sensor will calculate the SHA256 hash for all files on network drives upon execute so that the file can be tracked and recorded
- The sensor queues a reputation request, but request will not be sent until the next send window (every five minutes)
- The sensor will not stall file execution while waiting for the Carbon Black Cloud to return a reputation, so the sensor may allow the file to execute based on the reputation obtained by the Local Scanner if enabled
- Background Scan checks only apply to pre-existing files, so it would not apply in this case
- LOCAL_WHITE reputation is not assigned to network files by default. This behavior only applies to pre-existing files. See CB Defense: How Are Reputations Assigned for Network Files?
- Local Scanner is not Supported on macOS
- If another file attempts to access the file, the sensor does not generate another reputation request
- The sensor will apply an Unknown reputation until it receives a reputation from the Carbon Black Cloud
- Once a reputation is returned, policy rules can apply to the network file
- Unknown reputation typically means the sensor can not reach the Carbon Black Cloud Backend
Related Content