Malicious File Detected for a Computer or File No Longer Exists, or With an Old First Seen Date
search cancel

Malicious File Detected for a Computer or File No Longer Exists, or With an Old First Seen Date

book

Article ID: 291413

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Events or Alerts for "Malicious file detected" generated for:

  • Files that no longer exist in the environment
  • Computers that no longer exist in the environment
  • An old First Seen Date

Environment

  • App Control Console: All Supported Versions

Cause

The File Catalog maintains a historical inventory of all files, from all Agents, regardless if those have been deleted from the endpoint(s) already. The "Malicious file detected" Events are generated by the Carbon Black Reputation Service when a file in the inventory is matched against a file in the Reputation Service that has a Malicious Reputation.

There are a few different aspects to these notices:

  1. Events (Reports > Events > Malicious File Detected)
    • Located in Reports > Events with subtype: "Malicious File Detected"
    • Events occur regardless of the current file prevalence in the environment. This is to make it known that a file that is now considered Malicious, has been in the environment historically.
  2. Alerts (Tools > Alerts > Malicious File Detected):
    • This is the red "flag" that appears in the top right hand corner of the Console.
    • Alerts are generated when an Event matching the criteria outlined occurs.
  3. Event Rule (Rules > Event Rules)
    • An Event Rule is included to which by default will create a Report Only Ban for files associated with the Event: Malicious File Detected.
    • This Event Rule can be adjusted (if desired) to automatically Ban files.

Resolution

  1. Verify File Prevalence:
    1. Log in to the Console and navigate to Reports > Events > click the File Name from the Event.
    2. When the File Details page loads, locate General > File Prevalence
      • If Prevalence is more than 0: Use the Related Views menu on the right-hand side to find the File Instances or Computers with the file. Deleting the file, or creating a File Ban, would be a recommended action.
      • If Prevalence is 0: Continue to Step 2.
  2. Consider enabling Zero Prevalence Pruning to delete information on files that no longer exist in the environment.
    • Reputation updates are only sent for files that exist in the environment.
    • By default, App Control retains all file information (regardless of prevalence) forever.
  3. Consider creating a new Alert based on the Event Subtype: Malicious File Detected.
    • This would allow the existing Alert to be disabled, and the use of additional Criteria (such as File Prevalence) to be used.
  4. Review whether the associated Event Rule requires any adjustments.
    • Ex: File Properties > Publisher > does not contain: Explicitly Trusted Publisher
    • Caution is advised when enabling automatic File Bans.

Additional Information

  • The data used to determine Malicious Reputation is constantly updated with new malware feed information, threat research results, and more.
  • It is possible that an existing file in the Reputation Service could change over time from Trusted to Malicious.
  • If the updated Reputation is believed to be incorrect, use the ESG Submission Portal to submit a file for review.
Powered by Wolken Software