Carbon Black Cloud: Notepad.exe detected as KNOWN_MALWARE
search cancel

Carbon Black Cloud: Notepad.exe detected as KNOWN_MALWARE

book

Article ID: 284921

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Windows Event Viewer (Application.evtx) shows: 
Event ID: 33
Source: CbDefense
Warning: CldApiLogCloudReputationThreat: Carbon Black Cloud Sensor indicates the file \device\harddiskvolume3\windows\system32\notepad.exe is banned and is likely a virus (Swrort)
  Events in console show: 
C:\windows\system32\notepad.exe. The operation was blocked by Cb Defense.

Environment

  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Cause

Analytics change in relation to the reputation for Notepad.exe on June 20th. Resulted in an incorrect KNOWN_Malware reputation

Resolution

  This has been corrected on the backend and these blocks should no longer occur

Additional Information

  • The notepad.exe file has a sha256 hash value: 0d54da710565a3820860be8df519df62458e9a997bed3c6925665268ecc1086f
  • In this case, Microsoft didn't code-sign this version of Notepad.exe. Microsoft is typically really good at making sure to sign their files, so this rarely happens.  Meanwhile, it's not exactly rare that hackers might try to deploy hijacked or known-vulnerable versions of Notepad.exe.  An unsigned Notepad is a suspicious thing, so automation acted accordingly to update the reputation of the file, despite it being legitimate.
Powered by Wolken Software