CB Defense: Unexpected Blocks When Sensor Cannot Reach Backend
Article ID: 288925
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Whitelisted and known good files are blocked if the Sensor cannot reach the backend
Environment
- CB Defense PSC Sensor: All supported versions
- CB Defense PSC Console: All supported versions
Cause
- The Sensor may determine the cloud is not reachable after multiple consecutive connection failures
- The Sensor will rely on local scanner reputation or apply an "Unknown" reputation to new files
- No delays are set to allow cloud lookup to complete or provide time for file certificate verification
- Once the local scanner returns a reputation (which may include not_listed and unknown reps) that reputation is applied and related policy rules will be enforced
Resolution
Ensure Sensors can reach the PSC backend to avoid unexpected blocks
Additional Information
- The Sensor will err on the side of caution when not connected to the Cloud by applying the Unknown reputation to new files
- The Sensor will continue to perform cloud lookups when connectivity is restored and will update file reputations as needed
- File certification checks will also be allowed to complete and will be used to update file reputations as needed
- Once a file and a specific PID are associated with a reputation, a new repuation will not be applied until the process is restarted and a new PID is assigned
Feedback
Yes
No
Powered by
