CB Response: False positives in CB Community feed "Suspicious Screen Narrator Process" Threat Report

CB Response: False positives in CB Community feed "Suspicious Screen Narrator Process" Threat Report

search cancel

CB Response: False positives in CB Community feed "Suspicious Screen Narrator Process" Threat Report

book

Article ID: 290136

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

File on hit contains Screen Reader or Narrator in description

Environment

CB Response Server: 6.2.1 and Above

Cause

This is caused by a delay in the query and response of binary and event data. This issue is currently tracked with ID CB-21633.

Resolution

Disable the report in the threat feed
- Go to Threat Intelligence > Cb Community > Threat Reports
- Search for 'Narrator'
- In the result for 'Suspicious Screen Narrator Process', toggle the Ignore column from No to Yes
Create a custom watchlist using a wild card and negation of the original query values
- process_name:narrator.exe file_desc:* -file_desc:"Screen Reader" -file_desc:"Narrator"

Feedback

thumb_up Yes

thumb_down No