CB Cloud: Prevention not working with Linux Sensor
book
Article ID: 290262
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Blacklisted hash and created Blocking and Isolation policy rule, but the hash is not being blocked \ terminated on linux sensor Application on the company blacklist Runs or is running Deny \ Terminate Operation
Environment
Carbon Black Cloud Console: All Versions
CB Cloud Sensor: All Versions
Linux: All Supported Versions
Cause
The Linux blocking feature does not yet have feature parity with the Windows sensor. In the case of Linux sensor, a blacklisted processs must be running long enough for the linux sensor to detect and terminate the process
Resolution
The blacklisted process must remain running before the sensor can detect and terminate the process otherwise it is possible that short-lived processes may exit before the termination can be made.