Cb Protection: Malicious File Alert Triggered with No Event Listed
Article ID: 288797
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
- Email regarding a Malicious File event takes place. But the corresponding event is not listed in the console.
- The alert details show the Alert as not triggered at that time.
Environment
- Cb Protection Console: All Versions
Cause
Due to other checks regarding the Alert, an event is not listed if the file has 0 prevalence in the environment. Meaning the event will only be listed if the file is listed on at least one current machine.
Resolution
This is an intended function of the alert. It's attempting to let you know that a malicious file existed at one point in time on your network, but does not exist currently.
If you do want the event to show, even for non-prevalent files, you can disable the existing Malicious File Alert. And create two new Alerts with the following settings:
If you do want the event to show, even for non-prevalent files, you can disable the existing Malicious File Alert. And create two new Alerts with the following settings:
- Alert 1:
- Alert Name: Malicious File Detected Non-Prevalent
- Type: Event Alert
- Mail Template: Template for Event
- Event Property: Subtype is Malicious File Detected
- File Property: Prevalence equal to 0
- Alert 2:
- Alert Name: Malicious File Detected Prevalent
- Type: Event Alert
- Mail Template: Template for Event
- Event Property: Subtype is Malicious File Detected
- File Property: Prevalence larger than 0
Feedback
Yes
No
Powered by
