Banned Hashes Page Only Shows 500 Hashes
search cancel

Banned Hashes Page Only Shows 500 Hashes

book

Article ID: 285463

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Banned hash count of 500 or more
  • Banned Hashes page displays only 500 for the count

Environment

  • Carbon Black EDR Console: All versions

Cause

The web UI only displays 500 hashes and is not paginated.

Resolution

There are two workarounds to retrieve a full list of current actively banned hashes

  1. Perform the following SQL query via SSH:
psql cb -p 5002 -c "SELECT * from banning_blacklist"
  1. ​​​​Leverage the EDR API:
https://<Servername>/api/v1/banning/blacklist?count=10000"

 

Additional Information

  • The API can support up to 10,000 banned hashes
  • Hashes that are no longer enabled can be removed via the "cbbanning purge-inactive" command. How to Mark and Purge Inactive Banned Hashes from Console
  • The banning feature should be used as a temporary measure to stop executions or kill existing executables until they can be added to an application control type software.