IBM Support

QRadar EDR: Temporary files remain in the folder

Troubleshooting


Problem

After opening a particular file in the folder specified with the encryption solution (encryption/decryption) on the endpoint where the agent is installed and then closing it, a temporary file remains such as "e.g. file.xls1234567".

Symptom

Closing the original file does not erase the temporary file, it remains it in the folder.

Cause

The generation of temporary files such as "file.xls1234567" is a normal behavior that can occur as a result of ReaQta anti-ransomware (ransomware protection policy in enable) evaluation, and is a copied secure temporary file that ReaQta generates when it observes an encryption operation. Therefore, it is not a bug, the old temporary file generated by ReaQta anti-ransomware can be safely deleted.

Environment

QRadar EDR 3.x.x
Windows Agents 3.x.x

Diagnosing The Problem

If the file has a number at the end, such as "1234567", a temporary file has been created by QRadar EDR.
E.g. file.xls1234567

Resolving The Problem

To resolve this issue, follow the steps below to create an Allowlist after deleting the generated temporary files. While creating this Allowlist, what should be allowed/specified is the folder with program (application) that edits files, works with all possible solutions, not only the encryption ones.
  1. The analyst identifies the path to the program (application) that performs the file editing.
  2. Log in to your dashboard.
  3. Move to the endpoint page, disable the Anti-Ransomware from the agent “Live Response” and issue the command: 'antiransomware off'.
    image-20230807091554-1
    image-20220329160905-4
  4. The old temporary files generated can be safely deleted.
  5. Move to Policy page, click the Create Policy button and select the Allowlist.image-20230731154541-1
  6. Enter the Policy name and Description.
  7. Select the Targets.
  8. Select Matcher: Behaviour-based.
  9. Select Trigger Type: Ransomware Behavior.
  10. App Directory: C:\Program Files\Application folder\*
    Important point: The analyst must specify the path identified in step 1.
  11. Click the Create button.
    image-20230731155105-2
  12. After creating the Allowlist, the analyst ensures that no temporary files are generated.
  13. If a temporary file is not generated, move to the endpoint page, issue the command: 'antiransomware on' to enable the Anti-Ransomware from the agent “Live Response”.
    image-20220329161444-5

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSAAA2","label":"Administrative Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
05 September 2023

UID

ibm17015773

Page Feedback