Endpoint Standard: Why doesn't POLICY_DENY of KNOWN_MALWARE generate an Alert?
search cancel

Endpoint Standard: Why doesn't POLICY_DENY of KNOWN_MALWARE generate an Alert?


Article ID: 288930


Updated On:


Carbon Black Cloud Endpoint Standard (formerly Cb Defense)


  • An Event in the Investigate Page of the CB Defense Web Console reports the following
    The application C:\path\selectedapp.exe was prevented from accessing the file C:\path\targetapp.exe due to a Deny operation or Terminate process policy action.
    TTPS: POLICY_DENY and the target application has a KNOWN_MALWARE, SUSPECT_MALWARE, PUP, or COMPANY_BLACK_LIST reputation
  • An Alert is not created for this event


  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard (formerly CB Defense) Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions


If an application hash only attempts to do a generic READ access on the target malware then the sensor will block the action and log the event, but CB Defense will not form this event into an Alert.


Depending on the policy rules in place, Endpoint Standard will prevent any application from accessing a known malware, suspect malware, pup, or company black list file. This behavior is effectively considered a file quarantine or "quarantine-in-place". The read operation will be denied, logged, and provisionally included in any threat that may be created at that time if one or more of the minimum criteria is met:

  • Endpoint Standard Sensor first detects the malware on the local disk either from background scan or when the malware is initially created or dropped
  • Another application attempts to READ malware with the intention to EXECUTE or RUN the malware
  • The malware process was already running and the Endpoint Standard Sensor terminates the process
  • Event data is sent from the Sensor to the backend and analyzed to determine whether an AlertID should be assigned to the Event
  • If an AlertID is assigned, the Event will be categorized as either a Threat or Monitored Alert and shown on the Alerts page

Additional Information

  • The reason for this behavior is to reduce excessive or repetitious Alerts on read access of malware.
  • This could happen when backup software or disk indexing performs continuous READ operations of the malware file.
  • Even without the presence of such software, continuous read operations may occur every time the end user opens the file directory or path that contain the malware. This is especially true in cases where an environment is already inundated with newly downloaded or commodity malware  which existed on these devices prior to the Endpoint Standard Sensor being installed.
  • If a notification on every deny event is required, please create a notification in the Carbon Black Cloud Console to notify when Policy action enforced: Deny
  • If notifications based for when Alert crosses a threshold (THREAT, MONITORED, Alert Priority) exist, duplicate notifications for the same event may be received if a policy action is also enforced.