Endpoint Standard: Deny/Terminate action taken on an Allowed Application
search cancel

Endpoint Standard: Deny/Terminate action taken on an Allowed Application

book

Article ID: 292251

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Deny/Terminate action taken on trusted white application
  • Application initially has a reputation other than trusted white i.e. UNKNOWN, NOT_LISTED, RESOLVING, ADAPTIVE, etc..
  • Application process started when reputation was not trusted white
  • Application process continued to run after reputation was upgraded to trusted white

Environment

  • Carbon Black Cloud Console: All Supported Versions
  • Endpoint Standard Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions

Cause

  • Reputation changes will not result in a change to the applied policy for a currently running process. 
  • For example, if a terminate not listed for scrape memory rule is in place and chrome.exe has a not listed reputation, then chrome.exe will be terminated under the not listed rule if or when it tries to scrape memory even if the reputation has been upgraded to a whitelist reputation

Resolution

  • The process must be stopped and started or restarted in order for the applicable policy to take effect
  • In the above example, once the chrome.exe process has been stopped/started again, the terminate not listed for scrape memory rule will no longer apply to the process since upgraded whitelist reputation has now been taken into account

Additional Information

  • If a terminate rule for tries to run or is running does not apply to that specific file path or reputation, then the process will continue to run without issue unless or until it attempts the specific operation, i.e. scrape memory, communicates over the network, etc..., associated with the terminate action.
  • Example:
  1. Customer has a terminate not listed for scrape memory 
  2. Chrome.exe pid=1150 starts 
  3. Sensor gets a not listed reputation
  4. Reputation is upgraded to company white
  5. Chrome.exe pid=1150 continues to run for several days
  6. Chrome.exe pid=1150 tries to scrape memory and is then terminated 
  7. Stop/start Chrome.exe and the terminate not listed for scrape memory rule will no longer apply
Powered by Wolken Software