Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Does the sensor disable device services?
Environment
CB Defense PSC Console: All Versions
CB Defense PSC Sensor: 3.5 and above
Microsoft Windows: All Supported Versions
Resolution
Yes. Starting in Sensor version 3.5, a new feature has been added which will find all malicious services associated with Known Malware hashes and puts them in a disabled state.
Additional Information
Malicious services that run at start-up have the potential to execute and impact the endpoint before the sensor starts up.
If the sensor disables the malware service, the service(s) remain in disabled state across reboots, and therefore cannot execute at startup.
If a service binary in question was not malicious or if some other tool is used to clean the malware, then the sensor will not automatically enable the service again.
This feature only applies to files with a Known Malware reputation, so it is possible that files with Company Blacklist, Suspect/Heuristic Malware, Adware/PUP Malware reputation may execute on device boot-up if they are started before the sensor service
This feature will not take effect if prevention rule "Known malware Runs or is running" Deny\Terminate is not enabled on the device policy