Endpoint Standard: Banned or Malware app was allowed to run although Policy rule was in place to deny \ terminate
search cancel

Endpoint Standard: Banned or Malware app was allowed to run although Policy rule was in place to deny \ terminate

book

Article ID: 290605

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Banned or Malware app was allowed to run while assigned to a policy that does not have a deny \ terminate rule for malware or blacklist apps (ex. Monitored Policy)
  • The sensor goes offline (e.g. loses network connection)
  • The sensor policy is changed changed to a policy which has a deny \ terminate rule for malware or blacklist apps (ex. Standard Policy)
  • When the sensor comes back online, the events in the Investigate Page are recorded with the updated policy (Standard Policy) instead of the actual policy assigned at the time when the malware \ banned app ran (Monitored Policy)

Environment

  • Carbon Black Cloud Web Console: All Versions
  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Versions
  • Apple MacOS: All Versions

Cause

When events are sent from a sensor, they are recorded with the policy that the sensor currently has at time the event is ingested, not the policy that the sensor had at the time of event

Resolution

  • VMware Carbon Black is working on a fix which will ensure that the Investigate Page always records the policy assigned at the time of the event
  • To workaround this issue in the meantime, please use to the Audit Log to confirm the policy which was actually assigned at the time of the event

Additional Information

  • Usually the policy at the time of event and backend ingestion is the same, but if the sensor has been offline then the policy may be different if it was recently changed
Powered by Wolken Software