Endpoint Standard: Why was Malware allowed to run before being blocked?
search cancel

Endpoint Standard: Why was Malware allowed to run before being blocked?

book

Article ID: 285467

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Why was Malware allowed to run, despite policy settings to Terminate 'Known Malware' when 'runs or is running' before being blocked & terminated by the CBC a short time later

Environment

  • Carbon Black Cloud Web Console: All Versions
  • Carbon Black Cloud¬†Sensor: All Versions

Resolution

  • The file/hash concerned did not have a 'Known Malware' Reputation at the time of the events
  • The reputation that was 'Applied' at the time was 'Not Listed', because neither our Local AV Scanner, nor our CDC Reputation Service had any information that this was Malware
  • Once the file received an updated reputation from our CDC of 'Known Malware', the policy settings kicked in and Terminated any related events

Additional Information

  • Always check the events to see what reputation was 'applied' to either the Process or the Target
  • It will look something like this on the Investigate Page:¬†App reputation (applied, AV scan), or, Target reputation (applied, cloud)
  • You may see 2 entries for reputation, but it is the 'Applied Reputation' that comes into play - the other, is the reputation of the file currently, not at the time of the event