Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: What is the impact of disabling "Scan execute on network drives"?

Endpoint Standard: What is the impact of disabling "Scan execute on network drives"?

Environment

  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions

Question

Will there be any security impact to devices if "Scan execute on network drives" is disabled by policy?

Answer

  • The sensor will not stall file execution while waiting for the Carbon Black Cloud to return a reputation, so the sensor may allow the file to execute based on the reputation obtained by the Local Scanner (if enabled)
  • Once a reputation is obtained from the Carbon Black Cloud, file reputation will be updated and policy rules will apply accordingly

Additional Notes

  • If "Scan execute files on network drives" is disabled in the policy then the sensor will not check the cloud reputation for that file until it attempts to execute
  • The sensor will calculate the SHA256 hash for all files on network drives upon execute so that the file can be tracked and recorded
  • The sensor queues a reputation request, but request will not be sent until the next send window (every five minutes)
  • The sensor will not stall file execution while waiting for the Carbon Black Cloud to return a reputation, so the sensor may allow the file to execute based on the reputation obtained by the Local Scanner if enabled
  • Background Scan checks only apply to pre-existing files, so it would not apply in this case
  • LOCAL_WHITE reputation is not assigned to network files by default. This behavior only applies to pre-existing files. See CB Defense: How Are Reputations Assigned for Network Files?
  • Local Scanner is not Supported on macOS
  • If another file attempts to access the file, the sensor does not generate another reputation request
  • The sensor will apply an Unknown reputation until it receives a reputation from the Carbon Black Cloud
  • Once a reputation is returned, policy rules can apply to the network file
  • Unknown reputation typically means the sensor can not reach the Carbon Black Cloud Backend

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-11-2019
Views:
2056
Contributors