Carbon Black Cloud: Sensor still banning a hash that was removed from banned list
book
Article ID: 285352
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Alerts for blocking of banned hashes seen after the hash has been removed from the banned list.
Environment
Carbon Black Cloud Sensor: 3.9.2 and prior releases
Microsoft Windows: All Supported Versions
Cause
Tracked as a defect: DSEN-21581, and addressed in the 4.0.0.1292 sensor release. In specific edge cases, a sensor can revert to banning a previously banned hash after an unclean endpoint shutdown due to local sensor db corruption and restore to backup.
Resolution
In situations where a banned hash is removed from the banned list, add the same hash to allowed list.
Additional Information
Short summary: If you unban a hash, approve it as well until all Windows sensors are updated to 4.0.0.1292 sensor release or newer.
hashes added to allowed list due to this issue can be removed 2 weeks after being added, once all endpoints have checked in and backup interval has been cleared.