EDR: Process Name Function Does Not Work for VDI Instances
search cancel

EDR: Process Name Function Does Not Work for VDI Instances

book

Article ID: 290459

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

When setting Process Name feature in Group Policy containing VDI instances, the 'cb.exe' executable does not change it's process name.  

Environment

  • EDR Server: All Versions
  • EDR VDI Sensor: All Versions

Cause

Unknown. Escalation EA-19073 created to analyze issue. 

Resolution

The "obfuscation" feature is being deprecated as it never really provided any sort of protection. Even when the CarbonBlack executable ("cb.exe") is renamed, there are many other ways for userland processes to detect the Sensor that cannot be prevented.

Additional Information

  • The best way to defend the software against an attacker is to enable "Tamper Protection" on a current version of the EDR sensor.