EDR: What type of files does "Ban The Hash' block?
Article ID: 291409
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
What type of files does "Ban The Hash' block? Does it ban Word document?
Environment
- EDR (formerly CB Response) : All versions
Resolution
The EDR banning feature identifies and bans processes based on their MD5 hash. It does not ban shared libraries, such as DLLs, SYSs, CPLs, and OCXs.
Additional Information
- Binary: Executable file (for example, PE Windows file, ELF Linux file, or Mach-O Macintosh file) that is loaded onto a computer file in binary form for computer storage and processing purposes.
- EDR only collects binaries that execute. It does not collect scripts, batch files, or computer files that are created or modified.
- EDR does collect the script or batch file names from command prompts and command lines.
- EDR also collects file names and paths as they are created or modified.
- If using winword.exe to open a word document, there will be a filemod event of this word document under process winword.exe. However, EDR doesn't provide a way to ban this Word document directly.
- EDR does not support SHA-256 banning even though it's possible to see SHA-256 hashes
Feedback
Yes
No
Powered by
