Carbon Black Cloud: Why is there an alert for a malicious file inside a directory that is Bypassed?
Article ID: 288095
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Why are unexpected alerts for the creation of a malicious file that was generated by RepMgr.exe appearing in the Web Console? The malicious file is located inside a directory that is Bypassed due to a Policy setting.
Environment
- Carbon Black Cloud Web Console: All Versions
- Endpoint Standard Web Console: All Versions
- Enterprise EDR Web Console: All Versions
- Carbon Black Cloud Windows Sensor: All Versions
Resolution
The combination of several factors creates this unusual situation:
- Both Endpoint Standard and Enterprise EDR are enabled.
- The Policy for the affected endpoint includes a Bypass for the directory where the malicious file exists.
- The malicious file is shown to have been created by RepMgr.exe, which is a process that's part of the Carbon Black Cloud Sensor.
- Bypassed directories created by Policy settings do not apply to Enterprise EDR (EEDR) functionality.
- Because of this, EEDR will scan the hash of all *.exe files written to disk, regardless of their location on the file system/
- If the hash is determined to be malicious software, then an alert is generated.
- But if the malicious file was created inside a directory that was Bypassed by Endpoint Standard, then the name of the process that generated that file will not be documented.
- When a process name is not documented in this way, then RedMgr.exe is used instead.
Feedback
Yes
No
Powered by
