CB-Defense-Delete-Hash-From-Endpoint-Not-Completing
search cancel

CB-Defense-Delete-Hash-From-Endpoint-Not-Completing

book

Article ID: 287849

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Attempting to delete the specific hash from all the endpoints does not delete the hash
  • Attempting to delete on the individual endpoint also fails
  • Attempted to delete by selecting "Take Action" drop down in the Endpoints tab and selecting "Delete application"
  • Application/Hash remains on device
  • Sensors reside behind a proxy
  • Audit Log shows
    Hash - f5de9f13a3c4ac23510cde59a413fb9824e8548a853c5b7ab55dae123ded32a9 was requested to be deleted by [email protected] on device 12345 but no further actions are made.

Environment

  • CB Defense PSC Console: All Versions
  • CB Defense PSC┬áSensor: 3.2.x - 3.3.x
  • Microsoft Windows: All Supported Versions

Cause

There is an issue where the CB Defense sensor may fail to retrieve the hash delete list if using a proxy.

Resolution

  1. Upgrade sensor to version 3.4.0.820 or higher where this issue if fixed
  2. Attempt to delete hash once more
  3. Confirm successful deletion by observing a message similar to the one below in the Audit Log
Success deleting hash 'f5de9f13a3c4ac23510cde59a413fb9824e8548a853c5b7ab55dae123ded32a9' off of device '12345678' at path '\Device\HarddiskVolume3\Windows\xx\10567837.exe'. Reason: SUCCESS