Automatically Ban Malicious Hashes Detected by the Reputation Service
Article ID: 286525
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
How to use an Event Rule to automatically ban a hash when flagged as Malicious by the Reputation Service
Environment
- App Control Console: All Supported Versions
Resolution
WARNING Extreme caution should be exercised when creating Event Rules to automatically ban files!
|
- Log in to the Console and navigate to Rules > Event Rules.
- Click View Details (pencil icon) on the Event Rule: [Sample] Report Malicious files.
- Adjust the details as desired, the default settings include:
- Status: Disabled
- Event Properties: Subtype > is: Malicious file detected
- File Properties: Publisher > does not contain: <empty>
- It is highly recommended to include Publisher does not contain: Microsoft to prevent accidental ban of a critical system file
- Action: Change Global State > Ban (Report Only)
- In Report Only mode, only the ban file events are reported, but the files could still execute
- Create For: All Current and Future Policies
- Consider implementing specific Filters to prevent automatic banning in certain circumstances, examples
- By default, Event Rules will change any pre-existing file state, if the file was Approved, it will be changed to Banned. To prevent this:
- File Properties > Add filter > File State > is: Unapproved
- Add a Publisher exclusion for explicitly trusted Publishers:
- File Properties > Add filter > Publisher > does not contain: Trusted Publisher
- By default, Event Rules will change any pre-existing file state, if the file was Approved, it will be changed to Banned. To prevent this:
- Save any changes
Additional Information
- See also: Data Used to Determine Malicious Reputation.
- Use the ESG Submission Portal to submit a False Positive or False Negative report.
- More information on Event Rules can be found on Tech Docs > Server > User Guide chapter: Event Rules.
Feedback
Yes
No
Powered by
