Carbon Black Cloud: Why is there an alert for a malicious file inside a directory that is Bypassed?
book
Article ID: 288095
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Why are unexpected alerts for the creation of a malicious file that was generated by RepMgr.exe appearing in the Web Console? The malicious file is located inside a directory that is Bypassed due to a Policy setting.
Environment
Carbon Black Cloud Web Console: All Versions
Endpoint Standard Web Console: All Versions
Enterprise EDR Web Console: All Versions
Carbon Black Cloud Windows Sensor: All Versions
Resolution
The combination of several factors creates this unusual situation:
Both Endpoint Standard and Enterprise EDR are enabled.
The Policy for the affected endpoint includes a Bypass for the directory where the malicious file exists.
The malicious file is shown to have been created by RepMgr.exe, which is a process that's part of the Carbon Black Cloud Sensor.
Bypassed directories created by Policy settings do not apply to Enterprise EDR (EEDR) functionality.
Because of this, EEDR will scan the hash of all *.exe files written to disk, regardless of their location on the file system/
If the hash is determined to be malicious software, then an alert is generated.
But if the malicious file was created inside a directory that was Bypassed by Endpoint Standard, then the name of the process that generated that file will not be documented.
When a process name is not documented in this way, then RedMgr.exe is used instead.