CB Cloud: Bad path in IT Tools whitelist causes connection to unrelated network resource
Article ID: 290414
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- Network Attached Storage (NAS) server path included in IT Tools whitelist without a finite application listed (path ends with wildcards instead of tool or file dropper)
- Connections to NAS come from all endpoints with Sensor installed, and not limited to those with a logical or physical relationship to NAS
- Rise in connections to NAS seen when changes are made to a Policy
- Larger increase in connections to NAS when changes are made to Reputations page, potentially causing Denial of Service
- Connections to NAS can be seen most easily immediately following Sensor install
- Removal of NAS path from IT Tools whitelist eliminates connection attempts
Environment
- Carbon Black Cloud (CB Cloud) Console: All Versions
- Endpoint Standard (formerly CB Defense)
- CB Cloud Sensor: 3.4.0.1086 - 3.4.0.1097
- Microsoft Windows: All Supported Versions
Cause
Paths in IT Tools whitelist go through path normalization which causes the Sensor to reach out to the specified paths
Resolution
Remove path to NAS from IT Tools whitelist and work with Carbon Black to determine best course forward to resolve underlying issue
Additional Information
- This is typically seen when an attempt is made to use IT Tools whitelisting as path-based whitelisting, which is incorrect (see linked KBs for proper use)
- Best practice is to work with Carbon Black to troubleshoot potential interop or performance issues to determine the appropriate method for resolution (code change, Permissions rules, etc.)
Feedback
Yes
No
Powered by
