Hi all
I have a case using the elastic endpoint.
I tried using the blocklist in elastic endpoint to block the process /bin/ls.
After the policy got installed the binary file in /bin/ls disaprear and i cannot execute ls anymore
How did that happen can anyone tell me.
and how elastic endpoint block a process from being execute?
Thanks for your time.
Second try at the blocklist and the first time i tried to execute the command i got the opeartion not permitted and then for the second time i exec the command i get the no such file or dirtectory
It seems that the endpoint has delele the binary completely and even when i delele the blocklist it did not return.
Hi Lusandya,
Endpoint quarantined the file , You have to add endpoint exception to get it back.
Oh So can i ask how to add endpoint exception and where did endpoint put the binary file in?
Did you get any alert when you tried to run the process for first time?
I didn't get any alert on the server that i run the binary only the bash: /bin/ls: Operation not permitted
Follow Rule exceptions and value lists | Elastic Security Solution [8.5] | Elastic To see how to add endpoint exception , when endpoint detected a malware process and quarantined it.
I have new information regarding this case.
Its not that when the binary got add to the blocklist that endpoint delete the file. It is after i remove the blocklist from the policy that the endpoint delete the file from my machine.
Do you know why that is the case?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.