PSC: Does the sensor disable device services?
search cancel

PSC: Does the sensor disable device services?

book

Article ID: 292088

calendar_today

Updated On: 01-31-2020

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Does the sensor disable device services?

Environment

  • CB Defense PSC Console: All Versions
  • CB Defense PSC Sensor: 3.5 and above
  • Microsoft Windows: All Supported Versions

Resolution

Yes. Starting in Sensor version 3.5, a new feature has been added which will find all malicious services associated with Known Malware hashes and puts them in a disabled state.

Additional Information

  • Malicious services that run at start-up have the potential to execute and impact the endpoint before the sensor starts up.
  • If the sensor disables the malware service, the service(s) remain in disabled state across reboots, and therefore cannot execute at startup.
  • If a service binary in question was not malicious or if some other tool is used to clean the malware, then the sensor will not automatically enable the service again.
  • This feature only applies to files with a Known Malware reputation, so it is possible that files with Company Blacklist, Suspect/Heuristic Malware, Adware/PUP Malware reputation may execute on device boot-up if they are started before the sensor service
  • This feature will not take effect if prevention rule "Known malware Runs or is running" Deny\Terminate is not enabled on the device policy