EDR: CB Abuse.Ch threat feed continues to generate alerts on a hash that appeared on Abuse.ch's bad hash list and has since been removed.
Article ID: 286276
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Go to this website https://www.abuse.ch/
- Choose the report vendor for the alert being seen
- Search the Vendor's database for md5 hash being seen
- The md5 hash is not in the list
Environment
- EDR Server: 7.5.0-svr and Higher
- EDR Sensors: All versions
- CB Threat Feed: Abuse.ch
Cause
There is an issue with the CB Abuse feed that, once an MD5 hash is registered,
it will not be removed, even though the hash is removed from Abuse.ch source at the feodotracker site.
it will not be removed, even though the hash is removed from Abuse.ch source at the feodotracker site.
Resolution
This can be worked around by editing the /etc/cb/cb.conf (just the Primary on a cluster will do) and adding this line:
IgnoreTimestampOnFeedUpdate=trueand restarting the cluster services.
Additional Information
If the hash being seen is on the vendor's malware list then the alert should be responded to
Feedback
Yes
No
Powered by
