EDR: Process Name Function Does Not Work for VDI Instances
book
Article ID: 290459
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
When setting Process Name feature in Group Policy containing VDI instances, the 'cb.exe' executable does not change it's process name.
Environment
EDR Server: All Versions
EDR VDI Sensor: All Versions
Cause
Unknown. Escalation EA-19073 created to analyze issue.
Resolution
The "obfuscation" feature is being deprecated as it never really provided any sort of protection. Even when the CarbonBlack executable ("cb.exe") is renamed, there are many other ways for userland processes to detect the Sensor that cannot be prevented.
Additional Information
The best way to defend the software against an attacker is to enable "Tamper Protection" on a current version of the EDR sensor.