Carbon Black Cloud: RemoveSa31Appx.exe False Positive Alerts
Article ID: 287823
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- Multiple alerts: RemoveSA31Appx.exe
- Reason: The application pcdrwi.exe invoked another application (RemoveSA31Appx.exe). A Deny Policy Action was applied
- Recent TTPs:
- pcdrwi.exe policy_denyrun_unknown_app
Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: All Versions
- Microsoft Windows: All Supported Versions
Resolution
The reputation has been updated so these alerts should no longer occur for this instance of the file
Additional Information
There is no need to open cases based on this, the reputation is updated. Whitelisting the hash can avoid any additional alerts going forward.
Feedback
Yes
No
Powered by
