EDR: Windows Sensor Generating False Positive Alerts for Binaries with the Wrong Hash Value
search cancel

EDR: Windows Sensor Generating False Positive Alerts for Binaries with the Wrong Hash Value

book

Article ID: 285980

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

EDR UI Console is getting binary alerts that appear to be false positives, because when pulling the actual binary from the endpoints, it is a different hash than the one getting generated in EDR causing the alert.

Environment

  • EDR Server: All Versions
  • EDR Windows Sensor: 7.2.x and Lower
  • Windows OS: All Supported Versions

Cause

Condition was found where if two processes loaded the same dll at the same time and that binary had not yet been observed by the driver it is possible that one of the two processes would not have the dll load attributed to it since the driver would have potentially skipped reporting it. 

Resolution

This issue has been resolved in 7.3.0-win sensor.
Powered by Wolken Software