Carbon Black Cloud: How to Test Malware Detection On The Linux Platform
Article ID: 285330
Updated On:
Products
Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
How to test malware detection and blocking enforcement on the Linux platform?
Environment
- Carbon Black Cloud Linux Sensor: 2.11.x and higher
- Linux: All Supported Versions
Resolution
- Download the test file here
- Unzip the archive with the password "test", it'll contain the file cctest (with a SHA256 hash value of A99FCE43F5CD5D48169CE085A0469F260FD635225E591EF7B5D962532AF6AB1F)
- Ensure the "Known malware" blocking and isolation policy is set to [Runs or is running → Terminate Process]
- Also ensure the VM has access to the Carbon Black cloud
- Attempt to run the file cctest
- Upon execution detection, the Linux terminal should show the message “Operation not permitted” or “Killed” or some similar message indicating that the banned application will not be executed on further attempts
- The console will show "A known virus was detected running", and on a separate event, "The application cctest was identified as known malware. A Terminate Policy Action was applied"
- The console will also show "Deny Policy Action was applied" on subsequent access attempts
Additional Information
When the sensor in bypass, and if marked as executable at the OS level, the file should generate the message "Carbon Black© test, execution allowed".
The test file may be allowed to run if the endpoint does not have access to the cloud, once access is restored the reputation should be updated and the test file blocked as described above.
The test file may be allowed to run if the endpoint does not have access to the cloud, once access is restored the reputation should be updated and the test file blocked as described above.
Attachments
Feedback
Yes
No
Powered by
