Carbon Black Cloud: Why Does an Alert Show repmgr.exe as the Parent Process for a Malware Detection?
book
Article ID: 290392
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Why do the following CB Analytics Alerts show a Sensor process (repmgr.exe) invoking malware in the process tree?
A file (filename.exe) with a reputation of known malware was found on disk.
A known virus (Virus: MalwareName) was detected.
Environment
Carbon Black Cloud Console: All Versions
Carbon Black Cloud Sensor: All Supported Versions
Resolution
Alerts are generated in this format when a file is detected and scanned on the local system by the Sensor's Reputation Manager Service (repmgr.exe) and assigned a malicious reputation.
Because the event is for the file's persistence, rather than execution, the parent process is shown as the Sensor process responsible for scanning the file.
The Sensor is not executing the malware file, but is only alerting to its existence after detecting the malicious file.
Additional Information
These types of Alerts can be generated in a number of situations, such as during either a Background or On-Demand Scan, after a malicious file is introduced to the local system, or when a previously scanned file has been updated with a malicious reputation.
Observations of this type will be assigned one of the following TTPs: DETECTED_MALWARE_APP or DETECTED_BANNED_APP.