Why are some Events or Alerts with a Known Malware or a Banned reputation being allowed to run then terminated later? (Boot Time Protection)
Article ID: 285460
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR
Issue/Introduction
Why are some Events / Alerts with a Known Malware / Banned reputation being allowed to run then terminated later?
Environment
- Carbon Black Cloud Web Console: All Versions
- Carbon Black Sensor: All Versions
- Microsoft Windows: All Supported Versions
Resolution
- The CBC Sensor is run as a Service. When the services are started there may be malware that was started already and has taken actions. When the Sensor is active it will prioritize Policy enforcement actions over timestamps for logging to terminate processes according to Policy as quickly as possible.
- This issue has been resolved in Sensor Version 3.5 with a new feature that will find all malicious services associated with Known Malware hashes and puts them in a disabled state.
- This feature will not stop Banned processes from running as a service for those the events will still show that the banned hash is running on the console, and the application will need to be manually uninstalled.
Additional Information
If this is seen in the Console, you can Search by the Hash on the Device to see what occurred and verify the Sensor is Terminating / Denying the process when able.
Signs in the CBC Console that malware started before the Sensor:
Signs in the CBC Console that malware started before the Sensor:
- The Events show Reputation values that should have been Terminated / Denied but there was no action logged for this
- If the first Event for an Alert ID is services.exe invoking a process with a Reputation that should be stopped by Policy settings but is not
- If the Events of Known Malware running all occur in the same second
Feedback
Yes
No
Powered by
