Carbon Black Cloud: Subsequent blocked events on the same hash do not show up in the console
search cancel

Carbon Black Cloud: Subsequent blocked events on the same hash do not show up in the console

book

Article ID: 288471

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Subsequent blocked events on the same hash do not show up in the console
  • Multiple attempts made to execute the same binary in a short timeframe
  • Binary was blocked from execution due to blocking rules configured on the policy
  • Sensor logs show following message: 
INFO UiMsgObj::AddThreat: Same threat () on the same file (C:\windows\syswow64\windowspowershell\v1.0\powershell.exe) was reported less than 0 D 0 H 30 M 0.0 S ago. Suppress UI Msg

 

Environment

  • Carbon Black Cloud: All versions

Cause

Events suppressed due to sensor's internal event suppression logic

Resolution

This is an expected behavior as the same the same threat for the same file was reported less than 30 Minutes apart, no events were sent to the console.



 
Powered by Wolken Software