Banned Hashes Page Only Shows 500 Hashes
book
Article ID: 285463
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Show More
Show Less
Issue/Introduction
Banned hash count of 500 or more
Banned Hashes page displays only 500 for the count
Environment
Carbon Black EDR Console: All versions
Cause
The web UI only displays 500 hashes and is not paginated.
Resolution
There are two workarounds to retrieve a full list of current actively banned hashes
Perform the following SQL query via SSH:
psql cb -p 5002 -c "SELECT * from banning_blacklist"
Leverage the EDR API:
https://<Servername>/api/v1/banning/blacklist?count=10000"
Additional Information
The API can support up to 10,000 banned hashes
Hashes that are no longer enabled can be removed via the "cbbanning purge-inactive" command. How to Mark and Purge Inactive Banned Hashes from Console
The banning feature should be used as a temporary measure to stop executions or kill existing executables until they can be added to an application control type software.
Feedback
thumb_up
Yes
thumb_down
No