Endpoint Standard: Approved hash with previous Known_Malware reputation still blocked
Article ID: 289966
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- Hash was first seen via USB device and blocked with a Known Malware reptuation
- After hash is added to the approved list, the sensor continues to block the application as malware
Environment
- Endpoint Standard Sensor: 3.7.0.1253
- Microsoft Windows
Cause
When a process is first seen on removable memory, the reputation cache may persist after the device is removed
Resolution
- This will be fixed in a future sensor version. It will be tracked with the ID DSEN-16867
- As a workaround, restart the endpoint to clear out the reputation cache
Additional Information
Approving a hash with known malware can pose as a security risk. Please ensure any approved hashes are in fact trusted by the company.
Feedback
Yes
No
Powered by
