Carbon Black Cloud: Why Does an Alert Show repmgr.exe as the Parent Process for a Malware Detection?
search cancel

Carbon Black Cloud: Why Does an Alert Show repmgr.exe as the Parent Process for a Malware Detection?

book

Article ID: 290392

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Why do the following CB Analytics Alerts show a Sensor process (repmgr.exe) invoking malware in the process tree? 
A file (filename.exe) with a reputation of known malware was found on disk.

A known virus (Virus: MalwareName) was detected.

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Supported Versions

Resolution

  • Alerts are generated in this format when a file is detected and scanned on the local system by the Sensor's Reputation Manager Service (repmgr.exe) and assigned a malicious reputation.
  • Because the event is for the file's persistence, rather than execution, the parent process is shown as the Sensor process responsible for scanning the file.
  • The Sensor is not executing the malware file, but is only alerting to its existence after detecting the malicious file.

Additional Information

  • These types of Alerts can be generated in a number of situations, such as during either a Background or On-Demand Scan, after a malicious file is introduced to the local system, or when a previously scanned file has been updated with a malicious reputation.
  • Observations of this type will be assigned one of the following TTPs: DETECTED_MALWARE_APP or DETECTED_BANNED_APP.
Powered by Wolken Software