Endpoint Standard: Previously trusted files terminated after upgrade to 3.6.0.1791
Article ID: 290955
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
After upgrading to 3.6.0.1791 some files are unexpectedly blocked or terminated by policy.
The console alert for the terminate will have
The console alert for the terminate will have
App reputation: COMMON_WHITE_LIST App reputation (applied, cloud): UNKNOWNWith
Attack Stage: INSTALL_RUN Alert severity: 3 TTPs: POLICY_TERMINATE
Environment
- Endpoint Standard (Formerly CB Defense) Sensor: 3.6.0.1791
- Microsoft Windows: All supported versions.
Cause
A fix was introduced in 3.6.0.1791 to overcome database corruption of file reputations. This causes the corrupt reputation entry to be wiped from the local database, giving the file a reputation of unknown while the sensor is retrieving a new reputation. This can cause a terminate or deny if the file is executed while the reputation is being retrieved
Resolution
No action is required, the file's reputation will be updated immediately after the terminate and no further policy actions will take place
Feedback
Yes
No
Powered by
