Elastic endpoint security blocklist process delete the binary file

Hi all
I have a case using the elastic endpoint.
I tried using the blocklist in elastic endpoint to block the process /bin/ls.
After the policy got installed the binary file in /bin/ls disaprear and i cannot execute ls anymore
How did that happen can anyone tell me.
and how elastic endpoint block a process from being execute?

Thanks for your time.

Second try at the blocklist and the first time i tried to execute the command i got the opeartion not permitted and then for the second time i exec the command i get the no such file or dirtectory
It seems that the endpoint has delele the binary completely and even when i delele the blocklist it did not return.

Hi Lusandya,

Endpoint quarantined the file , You have to add endpoint exception to get it back.

Oh So can i ask how to add endpoint exception and where did endpoint put the binary file in?

Did you get any alert when you tried to run the process for first time?

I didn't get any alert on the server that i run the binary only the bash: /bin/ls: Operation not permitted

Follow Rule exceptions and value lists | Elastic Security Solution [8.5] | Elastic To see how to add endpoint exception , when endpoint detected a malware process and quarantined it.

I have new information regarding this case.
Its not that when the binary got add to the blocklist that endpoint delete the file. It is after i remove the blocklist from the policy that the endpoint delete the file from my machine.
Do you know why that is the case?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.