Carbon Black Cloud: What does "MALWARE_SERVICE_DISABLED" & "MALWARE_SERVICE_FOUND" TTP mean?
Article ID: 290390
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
What does "MALWARE_SERVICE_DISABLED" & "MALWARE_SERVICE_FOUND" TTP mean?
Environment
- Carbon Black Cloud Console: All Versions
- Microsoft Windows: All Supported Versions
Resolution
- When a Malware Service is disabled, analytics will generate the following alert text and augment TTP MALWARE_SERVICE_DISABLED
The known virus ‘x’ was detected and associated with the service ‘y’ configured to launch as ‘z’. A Disable Service Policy Action was applied.
- When a Malware Service is found but not disabled, analytics will generate the following alert text and augment with TTP MALWARE_SERVICE_FOUND
The suspected virus ‘x’ was detected and associated with the service ‘y’ configured to launch as ‘z’.
NOTE: Where x = malware name, y = service name, z = launch mode
Additional Information
- Starting in Sensor version 3.5, a new feature has been added which will find all malicious services associated with Known Malware hashes and puts them in a disabled state.
- Malicious services that run at start-up have the potential to execute and impact the endpoint before the sensor starts up.
- If the sensor disables the malware service, the service(s) remain in disabled state across reboots, and therefore cannot execute at startup.
- If a service binary in question was not malicious or if some other tool is used to clean the malware, then the sensor will not automatically enable the service again.
- This feature only applies to files with a Known Malware reputation.
- Adding the file hash to the Company Approved List will override this behavior.
Feedback
Yes
No
Powered by
