Carbon Black Cloud: Known Malware Allowed To Run After Reboot
book
Article ID: 290302
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Endpoint rebooted and Malware application started before CB Defense Sensor
Sensor does not terminate running Malware process immediately
Malware application is blocked once the Sensor is loaded fully
Environment
Carbon Black Cloud Console: All Versions
Carbon Black Cloud Windows Sensor: Sensor 3.4 and below
Microsoft Windows: All Supported Versions
Cause
The CB Defense Sensor may allow brief execution for processes which start before the CB Defense service (RepMgr) is able to run and act on Policy Rules based on the reputation for the application.
This issue is being tracked for fix with the ID SECEFF-6
Resolution
This issue has been resolved in Sensor Version 3.5 with a new feature that will find all malicious services associated with Known Malware hashes and puts them in a disabled state.
Additional Information
Malware can also be removed from the impacted endpoint either manually or automatically using the Malware Removal page in the CB Defense Web Console.
Go to the Malware Removal page
Select Mode: Detected to see detected files with malware reputations
Use the dropdown at the far-right of the line for the desired file to select Delete application
On the Delete Application pop-up, follow the instructions to confirm that the hash is bad
Use the radio-buttons to select one of the options to Delete this application from
This device only
All devices
Application will be queued for deletion on the next Sensor check-in