Carbon Black Cloud: Notepad.exe detected as KNOWN_MALWARE
search cancel

Carbon Black Cloud: Notepad.exe detected as KNOWN_MALWARE


Article ID: 284921


Updated On:


Carbon Black Cloud Endpoint Standard (formerly Cb Defense)


Windows Event Viewer (Application.evtx) shows:
Event ID: 33
Source: CbDefense
Warning: CldApiLogCloudReputationThreat: Carbon Black Cloud Sensor indicates the file \device\harddiskvolume3\windows\system32\notepad.exe is banned and is likely a virus (Swrort)
  Events in console show:
C:\windows\system32\notepad.exe. The operation was blocked by Cb Defense.


  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard Sensor: All Versions
  • Microsoft Windows: All Supported Versions


Analytics change in relation to the reputation for Notepad.exe on June 20th. Resulted in an incorrect KNOWN_Malware reputation


  This has been corrected on the backend and these blocks should no longer occur

Additional Information

  • The notepad.exe file has a sha256 hash value: 0d54da710565a3820860be8df519df62458e9a997bed3c6925665268ecc1086f
  • In this case, Microsoft didn't code-sign this version of Notepad.exe. Microsoft is typically really good at making sure to sign their files, so this rarely happens.  Meanwhile, it's not exactly rare that hackers might try to deploy hijacked or known-vulnerable versions of Notepad.exe.  An unsigned Notepad is a suspicious thing, so automation acted accordingly to update the reputation of the file, despite it being legitimate.