Access to process '$filePathAndName$' was restricted - Requested[$param1$] Restricted[$param2$].

Access to process '$filePathAndName$' was granted because of a Memory Rule user response. Access to process '$filePathAndName$' was restricted because of a Memory Rule user response.

The Carbon Black App Control Agent discovered a banned process '$filePathAndName$' [$hash$] that ran during system startup. $param1$

If Process watchlist and file are known to App Control: Carbon Black EDR process watchlist '$ruleName$' hit for process '$process$' [$hash$] on computer '$computer$'.

Carbon Black EDR watchlist '$watchlist$' detected file '$filePathAndName$' [$hash$] on computer '$computer$'.

If Process watchlist and file are unknown to App Control:

Carbon Black EDR process watchlist '$ruleName$' hit for unknown process '$process$' [$processhash$] on computer '$computer$'.

Carbon Black EDR watchlist '$watchlist$' detected unknown file '$filePathAndName$' [$hash$] on computer '$computer$'.

(continued on next page)

(continued from previous page)

If Binary watchlist and file are known to App Control:

Carbon Black EDR binary watchlist '$ruleName$' detected file '$filePathAndName$' [$hash$].

If Binary watchlist and file is unknown to App Control:

Carbon Black EDR binary watchlist '$ruleName$' detected unknown file '$filePathAndName$' [$hash$].

The $param1$ file '$filePathAndName$' [$hash$] executed before the Carbon Black App Control Agent was running. $param2$

The $param1$ file '$filePathAndName$' [$hash$] executed before the Carbon Black App Control Agent was enforcing. $param2$

Execution of file '$filePathAndName$' [$hash$] would have blocked if Carbon Black App Control Agent was active.

Execution of unapproved file '$filePathAndName$' [$hash$] was allowed because of a Trusted User '$username$'.

The file '$filePathAndName$' executed before the Carbon Black App Control Agent started. The file was removed before the Carbon Black App Control Agent could analyze it. $param2$

File '$filePathAndName$' with hash [$hash$] was blocked because of a Custom Rule.

Process '$process$' was terminated due to a Custom Rule.

File '$filePathAndName$' was blocked because Carbon Black App Control Agent did not have time to analyze it.

File '$filePathAndName$' [$hash$] was executed because of a Custom Rule user response.

File '$filePathAndName$' [$hash$] was approved due to Custom Rule.

File '$filePathAndName$' [$hash$] was approved by reputation.

Note: This event occurs when an agent attempts to run an unapproved file, checks with the server, and is given a reputation approval from the server that was not previously sent to the agent.

File '$filePathAndName$' with hash [$hash$] was approved due to system update.

Note: For Windows, this applies to the package/root files from Windows Update, not files installed from them.

File '$filePathAndName$' [$hash$] was approved by Trusted User '$username$'.

The newly discovered file '$filePathAndName$' [$hash$] was executing when the Carbon Black App Control Agent started. $param1$

Prompt '$filePathAndName$' [$hash$] prompt is canceled ($param1$).

Note: Param1 shows the reason a notifier prompt was cancelled. It can be one of the following:

• EnforcementChange – Agent changed enforcement levels and the prompt no longer applies (e.g., moved from Medium to High, so the file will now just block).
• SubsequentBlock – Agent blocked the file and is no longer waiting for response (typically means timeout or file was banned or had a rule change the blocked it).
• AgentShutdown – System or daemon shutdown while the prompt was still outstanding. File will be blocked in this case.
• PingTimeout – Agent was unable to communicate with notifier and canceled the prompt. This is an error case and should be rare.

Platform Note: This event only occurs for Mac OS X and Linux agents.

Access to process '$filePathAndName$' was granted – Requested[$param1$]

Note: Param1 is a hex number indicating the Windows code of the permissions requested.

File '$filePathAndName$' [$hash$] was executed.

Process '$process$' failed to be terminated: $param3$. Banned image: '$filePathAndName$' [$hash$].

Process '$process$' would have been terminated due to the banned file '$filePathAndName$' [$hash$] if Policy were not in Visibility Only

Process '$process$' would have been terminated due to the banned image '$filePathAndName$' [$hash$]: $param3$.".

File '$filePathAndName$' was modified or deleted.

Modification of registry '$filePathAndName$' was allowed.

Execution of '$filePathAndName$' by '$username$' was blocked because tamper protection was enabled.

Modification of '$filePathAndName$' by '$username$' was blocked because tamper protection was enabled.

Execution of '$filePathAndName$' by '$username$' would have been blocked if tamper protection were enabled.

Modification of '$filePathAndName$' by '$username$' would have been blocked if tamper protection were enabled.

The Carbon Black App Control Agent discovered an unapproved process '$filePathandName$' [$hash$] that ran during system startup. $param1$

Modification of file '$filePathAndName$' [$hash$] was blocked because of a Custom Rule.

Modification of registry '$filePathAndName$' was blocked.

File '$filePathAndName$' was modified or deleted because of a Custom Rule user response.

Modification of file '$filePathAndName$' [$hash$] was blocked because of a Custom Rule user response.

Registry '$filePathAndName$' was modified or deleted because of a Registry Rule user response.

Modification of registry '$filePathAndName$' was blocked because of a Registry Rule user response.