Endpoint Standard: Increase in HAS_BUFFER_OVERFLOW Alerts after upgrade to 3.6.0.1719
search cancel

Endpoint Standard: Increase in HAS_BUFFER_OVERFLOW Alerts after upgrade to 3.6.0.1719

book

Article ID: 290597

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Large increase in Threat Alerts with TTPs COMPROMISED_PROCESS and HAS_BUFFER_OVERFLOW since upgrading to 3.6.0.1719 Sensor
  • Not seeing same number of Alerts on 3.5.x.x or earlier Sensors

Environment

  • Carbon Black Cloud Console: September 03, 2020 release (0.57.x backend)
    • Endpoint Standard (was CB Defense)
  • Carbon Black Cloud Sensor: 3.6.0.1719
  • Microsoft Windows: All Supported Versions

Cause

Under investigation by Carbon Black Engineering teams

Resolution

08-Sep-2020 Update: Backend teams are evaluating an improved temporary suppression patch to further reduce the noise from this issue, targeting deployment on or before 10-Sep-2020.

Carbon Black Engineering applied a temporary patch on 03-Sep-2020, which has been applied to all backends in order to minimize the impact of these Alerts prior to the Sensor-side fix. The issue on the Sensor-side is identified and the fix is planned for the September maintenance release, which is currently scheduled for 22-Sep-2020.

If this is causing you significant problems, please open a case with Carbon Black Technical Support and reference the UEX post below so it can be routed properly.

https://community.carbonblack.com/t5/Carbon-Black-Cloud-Discussions/Carbon-Black-3-6-Flooded-with-alerts/m-p/94122

This article will be updated as more information is made available.

Additional Information

This issue is on the Endpoint Standard product, customers may also have other products enabled but that will be irrelevant.