App Control: Malicious File Alert for File With Old First Seen Date
book
Article ID: 286445
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Malicious File Events generated for files that have an old First Seen Date.
Environment
App Control Console: All Supported Versions
App Control Agent: All Supported Versions
Cause
The database used for the CDC is constantly updated with new malware feed information, threat research results, and more. The updates can cause a file’s existing Trust and Threat Score to change. This information is then passed down to the App Control Server through the CDC service. Any file that is in the DAS database’s historical file catalog that changed will trigger the Malicious File Event accordingly. Even if the file is no longer present in the environment.
Resolution
Click the File Name from the Event
When the File Details page loads locate General > File Prevalence
If Prevalence is more than 0: Use the Related Views menu on the right-hand side to find the File Instances or Computers with the file. Deleting the file, or creating a File Ban would be a recommended action.
If Prevalence is 0: Consider enabling Zero Prevalence Pruning to prevent future occurrences in this situation.
Additional Information
The default approach for this configuration (retaining file information and generating alerts for malicious reputation) is that at some point malware existed in the environment.