VCDR Will Flag Malicious File when there has been a previously deployed CBC Tenant
search cancel

VCDR Will Flag Malicious File when there has been a previously deployed CBC Tenant

book

Article ID: 313739

calendar_today

Updated On:

Products

VMware Aria Suite VMware Cloud on AWS

Issue/Introduction

If there is a previously deployed CBC Tenant, a malicious file may not be identified in CBC tenant, but can be seen as malicious by VCDR Ransomware Recovery add-on


Symptoms:

If there is a previously deployed CBC Tenant, a malicious file may not be identified in CBC tenant, but can be seen as malicious by VCDR Ransomware Recovery add-on


Cause

This likely explains why Ransomware Recovery scans are picking up more malicious files than normal CB scans in production. Ransomware Recovery was designed with this goal in mind.

• Carbon Black (CB) normally does file reputation analysis at execution time (based on traditional file hashes).

• If enabled, CB also does one-time Background Scan of all files in the system 1 hour after a sensor is installed.

• The Background Scan runs only if enabled in the policy. They should check their CB policy setting.

• Even if enabled, the Background Scan does not generate malware alerts, it does generate events that are harder to monitor.

• Even though CB has multiple live feeds with new security information arriving from multiple sources all the time, it does not go back and periodically re-scan the entire system using this information (too resource intensive)

 

This leaves the production system with a few potential blind spots: preexisting known malware may not generate alerts until it is executed. New Day 0 malware may not generate alerts because it is unknown at execution time, and a full system scan is not performed automatically and periodically after the initial background scan. This is not specific to CB, other EDRs (Endpoint Detection and Response) have similar behavior because of resources constraints in production environments.

Resolution

Ransomware Recovery addresses all these cases:

• A full system scan is performed for each snapshot using the most recent information available at the analysis time. This may catch new malware that was not studied yet at the time the system was initially infected. It also catches malware that was never executed.

• To make this practical, ransomware scans run orders of magnitude faster than the normal Background Scan. Ransomware Recovery does not affect production workloads, so VCDR Ransomware Recovery has built a custom integration to make ransomware scans consume more system resources in the Isolated Recovery Environment (IRE) in VMC than is normally done in production.

• Ransomware scans are more aggressive than the Background Scan and generate alerts upon observing malware.