Automatically Ban Malicious Hashes Detected by the Reputation Service
search cancel

Automatically Ban Malicious Hashes Detected by the Reputation Service

book

Article ID: 286525

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

How to use an Event Rule to automatically ban a hash when flagged as Malicious by the Reputation Service

Environment

  • App Control Console: All Supported Versions

Resolution

WARNING: Caution should be exercised when creating Event Rules to automatically ban files
  1. Log in to the Console and navigate to Rules > Event Rules.
  2. Click View Details (pencil icon) on the Event Rule: [Sample] Report Malicious files.
  3. Adjust the details as desired, the default settings include:
    • Status: Disabled
    • Event Properties: Subtype > is: Malicious file detected
    • File Properties: Publisher > does not contain: <empty>
      • It is highly recommended to include "Publisher does not contain: Microsoft" to prevent accidental ban of a critical system file
    • Action: Change Global State > Ban (Report Only) 
      • In Report Only mode, only the ban file events are reported, but the files could still execute
    • Create For: All Current and Future Policies
  4. Save any changes

Additional Information

  • Filters can be added to Event Rules, examples:
    • By default, Event Rules will change any pre-existing file state, if the file was Approved, it will be changed to Banned. To prevent this:
      • File Properties > Add filter > File State > is: Unapproved
    • Add a Publisher exclusion for explicitly trusted Publishers:
      • File Properties > Add filter > Publisher > does not contain: Trusted Publisher
  • See also: Data Used to Determine Malicious Reputation.
  • Use the ESG Submission Portal to submit a False Positive or False Negative report.
  • More information on Event Rules can be found in the User Guide chapter: Event Rules.