Endpoint Standard: Why was Malware allowed to run before being blocked?
book
Article ID: 285467
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Why was Malware allowed to run, despite policy settings to Terminate 'Known Malware' when 'runs or is running' before being blocked & terminated by the CBC a short time later
Environment
Carbon Black Cloud Web Console: All Versions
Carbon Black Cloud Sensor: All Versions
Resolution
The file/hash concerned did not have a 'Known Malware' Reputation at the time of the events
The reputation that was 'Applied' at the time was 'Not Listed', because neither our Local AV Scanner, nor our CDC Reputation Service had any information that this was Malware
Once the file received an updated reputation from our CDC of 'Known Malware', the policy settings kicked in and Terminated any related events
Additional Information
Always check the events to see what reputation was 'applied' to either the Process or the Target
It will look something like this on the Investigate Page: App reputation (applied, AV scan), or, Target reputation (applied, cloud)
You may see 2 entries for reputation, but it is the 'Applied Reputation' that comes into play - the other, is the reputation of the file currently, not at the time of the event