How to Mark and Purge Inactive Banned Hashes from Console
search cancel

How to Mark and Purge Inactive Banned Hashes from Console

book

Article ID: 287594

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To mark and purge disabled or inactive banned hashes from the Managed Banned Hashes page

Environment

  • Carbon Black EDR: All Versions

Resolution

To Mark Inactive : 
  • Via the EDR Console or GUI : 
    • Open the 'Banned Hashes' tab
    • Un-check any hashes that are to be set to inactive
  • Via the EDR Server Terminal : 
    • Use either of the following commands to set hashes to inactive : 
curl -XDELETE -H "X-Auth-Token: <api-token>" "https://127.0.0.1/api/v1/banning/blacklist/<md5-hash>" -k

or 

curl -XDELETE -H "X-Auth-Token: `psql -p 5002 cb -t -c 'select auth_token from cb_user where id = 1;'`" "https://127.0.0.1/api/v1/banning/blacklist/<md5-hash>" -k
  • Results will be : 
{"result": "success"}

or 

Ban for md5 '<md5-hash>' does not exist
To Purge Inactive or Disabled Hashes : 
  1. From the EDR Server, open Terminal.
  2. Run: 
    /usr/share/cb/cbbanning purge-inactive
  3. A message will appear confirming the removal of inactive banned hashes:
    Removed <number> inactive bans

Additional Information

Banned hashes can be disabled but not removed in the console. Removal of the hashes needs to happen from the backend.