Why was a file drop for Known Malware not blocked?
Article ID: 285945
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Why was a file classified as Known Malware allowed to be dropped on an endpoint?
Environment
- Endpoint Standard Sensor: All Versions
Resolution
- Sensors will not block the action of dropping a file.
- If the file were to execute, the sensor would handle the malware based on the sensor's group policy settings.
Additional Information
- To prevent attacks from the file, keep sensors up-to-date with a recent sensor version and ensure policies take action for Known Malware applications.
- Once the file is dropped, the file will be isolated in place based on policy actions rather than being moved to a specific isolation folder.
- Endpoint Standard sensor will not remove files detected as known malware. Deletion of malware requires the steps mentioned here.
- The file drop alert will show a status of Ran. This applies to the action of dropping the file and not the malicious file being run.
- Company-Banned files are treated the same way as Known Malware in this article's context.
Feedback
Yes
No
Powered by
