Carbon Black Cloud: Sensor still banning a hash that was removed from banned list
search cancel

Carbon Black Cloud: Sensor still banning a hash that was removed from banned list

book

Article ID: 285352

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Alerts for blocking of banned hashes seen after the hash has been removed from the banned list.

Environment

  • Carbon Black Cloud Sensor: 3.9.2 and prior releases
  • Microsoft Windows: All Supported Versions

Cause

Tracked as a defect:  DSEN-21581, and addressed in the 4.0.0.1292 sensor release.  In specific edge cases, a sensor can revert to banning a previously banned hash after an unclean endpoint shutdown due to local sensor db corruption and restore to backup.  
 

Resolution

In situations where a banned hash is removed from the banned list, add the same hash to allowed list.  

Additional Information

  • Short summary: If you unban a hash, approve it as well until all Windows sensors are updated to 4.0.0.1292 sensor release or newer.
  • hashes added to allowed list due to this issue can be removed 2 weeks after being added, once all endpoints have checked in and backup interval has been cleared.
Powered by Wolken Software