Enterprise EDR: Search excluding parent_name returns results including listed parent process ($$deleteme prefix)
search cancel

Enterprise EDR: Search excluding parent_name returns results including listed parent process ($$deleteme prefix)

book

Article ID: 285938

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Reports like 'SANS Unusual <process_name> Parent Or Child' and 'SANS Unusual <process_name> Parent' return results for the parent_name which should be excluded 
    Example
SANS Unusual Csrss.Exe Parent Or Child
((process_name:csrss.exe parent_name:* -parent_name:smss.exe -parent_name:csrss.exe)) -(legacy:true OR enriched:true)

Search returns results that include parent_name:smss.exe and/or parent_name:csrss.exe
  • Adding either '$$deleteme.<parent_name>.*' or '*<parent_name>*' for each listed parent reduces false positive search results 
    Examples
(process_name:csrss.exe parent_name:* AND -(parent_name:*smss.exe* OR parent_name:*csrss.exe*)) -(legacy:true OR enriched:true)
(process_name:csrss.exe parent_name:* AND -(parent_name:smss.exe OR parent_name:csrss.exe OR parent_name:$$deleteme.smss.exe* OR parent_name:$$deleteme.csrss.exe*)) -(legacy:true OR enriched:true)
  • Parent path C:\Windows\WinSxS\Temp\PendingDeletes\

Environment

  • Enterprise EDR Console: 03-May-2021 Release (0.65 backend)
  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Cause

Parent was in the process of being deleted at the time of the event as part of Windows update transition, and therefore had a temporary or transitional name starting with $$deleteme and running from PendingDeletes folder

Resolution

Overall issue being tracked under DSER-32492 and TR-5635

Additional Information

Workaround to improve search accuracy
  • Update search exclude transitional/temporary names 
    -parent_name:*<ActualName>*
NOT parent_name:*<ActualName>*

-parent_name:$$deleteme.<ActualName>*
NOT parent_name:$$deleteme.<ActualName>*
  • Example 
    Original search
((process_name:csrss.exe parent_name:* -parent_name:smss.exe -parent_name:csrss.exe)) -(legacy:true OR enriched:true)

Suggested searches
(process_name:csrss.exe parent_name:* AND -(parent_name:smss.exe OR parent_name:csrss.exe OR parent_name:*smss.exe* OR parent_name:*csrss.exe*)) -(legacy:true OR enriched:true)
(process_name:csrss.exe parent_name:* AND -(parent_name:smss.exe OR parent_name:csrss.exe OR parent_name:$$deleteme.smss.exe* OR parent_name:$$deleteme.csrss.exe*)) -(legacy:true OR enriched:true)
Powered by Wolken Software