Set Auto-delete known malware hashes by default
search cancel

Set Auto-delete known malware hashes by default

book

Article ID: 285113

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How to Auto-delete known malware hashes by default

Environment

  • Carbon Black Cloud Web Console: All Current Versions
  • Carbon Black Cloud Windows Sensor: 3.2.1 and later
  • Carbon Black Cloud Mac Sensor: 3.3 and later
  • Microsoft Windows: All Versions
  • Apple MacOS: All Versions

Resolution

To auto-delete known malware from the Carbon Black Cloud Web Console:
  1. Select Enforce > Policies
  2. Select [Policy Name] > Sensor Tab > then select "Auto-delete known malware hashes after"
  3. Select a time frame: 1 Day, 1 Week, 2 Weeks, 1 Month, 4 Months (default is 2 Weeks)
  4. Select "Save" to save selection
  5. After the policy setting is enabled, all new, executable malware is deleted at the end of the selected time frame
$#% All deleted malware files are permanent and cannot be restored $#%

%$# Auto-delete does not delete files that are signed by Microsoft, Carbon Black files, or files that have had their hashes changed %$#

Additional Information

  • If "Auto-delete known malware hashes after" is not enabled, the sensor performs an in-place quarantine which prevents the known malware from running or allowing other files to access this file if the applicable policies enabled
  • Use the audit log to see deleted malware, malware scheduled for deletion, and admin actions. Search the Audit Log for the hash you requested deletion of to see other events associated with the hash.
  • After malware is deleted, it is removed from the Detected tab and moved to the Deleted tab of the "Malware Removal" Page