Files that you upload to the Carbon Black App Control Server are zipped before being uploaded, and while they appear in the Carbon Black App Control console under their original name, uploaded files are stored in numbered zip files on the Carbon Black App Control Server (1.zip, 2.zip, and so on).

The contents of the zip file includes the uploaded file and its folder path from the agent computer. Handling of the file and path names depends on the characters used in both:

  • All ANSI characters – If the name of the file and its path contain only ANSI-convertible characters, name and path information remain the same inside the zip file.
  • Non-ANSI characters – If the file or its path contains non-ANSI-convertible characters, the file name and path will appear differently inside the zip file because the program used to zip the file does not support non-ANSI-convertible characters. In this case, the upload process creates a hard-link to the file in the Windows temp folder (C:\Windows\Temp). This link is then zipped using a new, generated file name beginning with “TMP” and a new path name. The extension will be included with the new file name unless it also contains non-ANSI-convertible characters.

Renaming has no effect on the file upload feature within Carbon Black App Control other than assuring that files with non-ANSI-convertible names can be uploaded successfully. However, if you are directly accessing the uploaded files through their zip file – for example, if you have created your own analysis process via an API or other means or you download the zip file itself – be aware that the zipped file name might differ from the file name on an endpoint.

Caution: The binaries of the original file and the renamed copy are the same. If a malicious file is uploaded under a temporary name, it will still be malicious. Take the same precautions you would take with any suspicious uploaded file.