Carbon Black Cloud: How does CBC warn you when you try and block Processes on Trusted White List?
search cancel

Carbon Black Cloud: How does CBC warn you when you try and block Processes on Trusted White List?

book

Article ID: 287461

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

How does CBC warn you when you try and block Processes on Trusted White List?

Environment

Carbon Black Cloud Console: All Versions

Resolution

  1. While investigating an alert please also review the Binary Details of a file. This will allow you to understand more about the file and see how CBC has the file listed.
  2. If you choose to ban a known good and trusted white list item you will be prompted with a page that will tell you how many times the Hash has been seen in your organization over the last six months along with the current Cloud Reputation and Singed by.
  3. If you continue to add the file you will be required to select a check a box beside a note stating
"I agree to add this hash to the company Banned list"
           with a warning above stating
"This hash is commonly trusted and widely used. Ban Anyway?"
          in Red.
Example:
The hash for svchost.exe is an example of a file that will prompt you in this method.
hash:add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88
Prompt #1:
User-added image
Prompt #2:
User-added image



 

Additional Information

If you do not use the above process to review the binaries from the investigate page and choose to go to the Enforce and Reputation page you will be taking a risk and bypassing the warning.