CBC: Does Carbon Black have the CVE Hashes in a Watchlist?
search cancel

CBC: Does Carbon Black have the CVE Hashes in a Watchlist?


Article ID: 287667


Updated On:


Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)


Are CVE hashes included in CBC watchlists?


  • Carbon Black Cloud:  All Products


  • No.  CVEs report known vulnerabilities of commonly used software, not a list of malware hashes.   
    • CVEs rarely contain hashes, instead they include software versions affected by the vulnerability.
    • A watchlist containing hashes for commonly used software would create alert fatigue.
    • If a CVE did include a hash (unlikely), the Investigate search page could be used to find the hash in the environment. 
      • If the hash is found, it may be advisable to create a custom watchlist to monitor its use until the patch is available. 
      • Carbon Black creating custom watchlists for commonly used software hashes for all customers is not maintainable.
Example:  If the CVE reports Firefox versions < 82.0.3 (CVE-2020-26950) are vulnerable, then alerts should not occur for each use of Firefox.   Instead, the vulnerability requires a certain configuration be met (an environmental setting) before or after Firefox starts;  The CBC administrator would determine if the certain configuration is needed in their environment. 

Additional Information

Note: Known malware hashes, of community shared binaries, are added to the Reputation database daily with the intent to detect and protect the endpoints against malware.
  • Hashes listed in VirusTotal are normally included in the Reputation database.
  • CB Support can verify if a hash exists in the Reputation database.