Carbon Black Cloud: Known Malware Allowed To Run After Reboot
search cancel

Carbon Black Cloud: Known Malware Allowed To Run After Reboot

book

Article ID: 290302

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Endpoint rebooted and Malware application started before CB Defense Sensor
  • Sensor does not terminate running Malware process immediately
  • Malware application is blocked once the Sensor is loaded fully

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Windows Sensor: Sensor 3.4 and below
  • Microsoft Windows: All Supported Versions

Cause

  • The CB Defense Sensor may allow brief execution for processes which start before the CB Defense service (RepMgr) is able to run and act on Policy Rules based on the reputation for the application. 
  • This issue is being tracked for fix with the ID SECEFF-6

Resolution

This issue has been resolved in Sensor Version 3.5 with a new feature that will find all malicious services associated with Known Malware hashes and puts them in a disabled state.

 

    Additional Information

    • Malware can also be removed from the impacted endpoint either manually or automatically using the Malware Removal page in the CB Defense Web Console.
    1. Go to the Malware Removal page
    2. Select Mode: Detected to see detected files with malware reputations
    3. Use the dropdown at the far-right of the line for the desired file to select Delete application
    4. On the Delete Application pop-up, follow the instructions to confirm that the hash is bad
    5. Use the radio-buttons to select one of the options to Delete this application from
      • This device only
      • All devices
    6. Application will be queued for deletion on the next Sensor check-in
    Powered by Wolken Software