CB Cloud: Prevention not working with Linux Sensor
Article ID: 290262
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Blacklisted hash and created Blocking and Isolation policy rule, but the hash is not being blocked \ terminated on linux sensor
Application on the company blacklist Runs or is running Deny \ Terminate Operation
Application on the company blacklist Runs or is running Deny \ Terminate Operation
Environment
- Carbon Black Cloud Console: All Versions
- CB Cloud Sensor: All Versions
- Linux: All Supported Versions
Cause
The Linux blocking feature does not yet have feature parity with the Windows sensor. In the case of Linux sensor, a blacklisted processs must be running long enough for the linux sensor to detect and terminate the process
Resolution
The blacklisted process must remain running before the sensor can detect and terminate the process otherwise it is possible that short-lived processes may exit before the termination can be made.
Feedback
Yes
No
Powered by
