Cb Defense: Potentially Unwanted Program (PUP) Allowed to Run
search cancel

Cb Defense: Potentially Unwanted Program (PUP) Allowed to Run

book

Article ID: 290071

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Logs show a Potentially Unwanted Program (PUP) was allowed to execute the function "CreateWindowExW"

Environment

  • Cb Defense Sensor: 3.2.x
  • Blocking and Isolation Policy for "Adware or PUP" is set to terminate upon "Perform ransomware-like behavior" rule

Cause

CreateWindowExW is not one of the APIs the sensor checks for ransomware behavior, so this was allowable under the policy.

Resolution

  1. From the main Dashboard screen, access Enforce > Policies
  2. Select policy where "Adware or PUP" rule is set to terminate upon "Perform ransomware-like behavior"
  3. Change policy  to "Runs or is running" > "Terminate process"

Additional Information

  • Carbon Black recommends testing policy changes on a test group/environment prior to deployment into production.
Powered by Wolken Software