CB Response: How to Mark and Purge Inactive Banned Hashes from Console
search cancel

CB Response: How to Mark and Purge Inactive Banned Hashes from Console

book

Article ID: 287594

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To mark and purge disabled or inactive banned hashes from the Managed Banned Hashes page

Environment

  • CB Response Application Server: All Versions

Resolution

To Mark Inactive : 
  • Via the CB Response Console or GUI : 
    • Open the 'Banned Hashes' tab
    • Un-check any hashes that are to be set to inactive
  • Via the CB Response Terminal : 
    • Use either of the following commands to set hashes to inactive : 
curl -XDELETE -H "X-Auth-Token: <api-token>" "https://127.0.0.1/api/v1/banning/blacklist/<md5-hash>" -k

or 

curl -XDELETE -H "X-Auth-Token: `psql -p 5002 cb -t -c 'select auth_token from cb_user where id = 1;'`" "https://127.0.0.1/api/v1/banning/blacklist/<md5-hash>" -k
  • Results will be : 
{"result": "success"}

or 

Ban for md5 '<md5-hash>' does not exist
To Purge Inactive or Disabled Hashes : 
  1. From the CB Response Application Server, open Terminal.
  2. Run: 
    /usr/share/cb/cbbanning purge-inactive
  3. A message will appear confirming the removal of inactive banned hashes:
    Removed <number> inactive bans

Additional Information

Banned hashes cannot be removed using the CB Response Console.  They can only be disabled.  Removal must happen from the terminal.