CBC: Does Carbon Black have the CVE Hashes in a Watchlist?
Article ID: 287667
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Are CVE hashes included in CBC watchlists?
Environment
- Carbon Black Cloud: All Products
Resolution
- No. CVEs report known vulnerabilities of commonly used software, not a list of malware hashes.
- CVEs rarely contain hashes, instead they include software versions affected by the vulnerability.
- A watchlist containing hashes for commonly used software would create alert fatigue.
- If a CVE did include a hash (unlikely), the Investigate search page could be used to find the hash in the environment.
- If the hash is found, it may be advisable to create a custom watchlist to monitor its use until the patch is available.
- Carbon Black creating custom watchlists for commonly used software hashes for all customers is not maintainable.
Example: If the CVE reports Firefox versions < 82.0.3 (CVE-2020-26950) are vulnerable, then alerts should not occur for each use of Firefox. Instead, the vulnerability requires a certain configuration be met (an environmental setting) before or after Firefox starts; The CBC administrator would determine if the certain configuration is needed in their environment.
Additional Information
Note: Known malware hashes, of community shared binaries, are added to the Reputation database daily with the intent to detect and protect the endpoints against malware.
- Hashes listed in VirusTotal are normally included in the Reputation database.
- CB Support can verify if a hash exists in the Reputation database.
Feedback
Yes
No
Powered by
