EDR: Flood of alerts from Abuse.ch from malwarebazaarsha256s report
Article ID: 290713
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Users receive a flood of alerts form Abuse.ch feed malwarebazaarsha256s for Google Updater and Powershell
- Searching the MalwareBazaar for the offending hash returns no matches.
- Reported hashes:
b60e92004d394d0b14a8953a2ba29951c79f2f8a6c94f495e3153dfbbef115b6 c4eada327d83caebe0929b3aa638db533a2d30c4ef15a3dc4f445245dfd53797 de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c
Environment
- EDR: All Versions (Formerly CB Response)
Cause
Update to the way Alliance gathers the Bazaar report from Abuse.ch feed caused an influx of new alerts
Resolution
This has been corrected. If the feed was disabled during the issue please re-enable.
Additional Information
- The issue seems to have first appeared on June 19th, 2020
- The hashes in the report come directly from the full report at https://bazaar.abuse.ch/export/
- VMware Carbon Black Threat Engineering team had added a new false positive mitigation technique for this feed to check against internal threat scores and filtering before pushing to the feed
- If you believe a hash reported is a false positive, please report to abuse.ch and let VMware Carbon Black support know. False positives can be added to the internal mitigation.
Feedback
Yes
No
Powered by
