The Carbon Black Cloud is updating the initial definition of the “Standard” policy that is created for each new organization. The update consists of the modification of a single rule in this policy and applies only to new customers provisioned after the change is made. The change will not make any alterations of any kind to the policies of existing customers.
Current Rule:
Adware or PUP
|
Performs ransomware-like behavior
|
Terminate Process
|
New Rule:
Adware or PUP
|
Runs or is running
|
Terminate Process
|
Why are we making this change?
It is important to us that each one of our customers can make the proper tradeoffs when it comes to day to day operations vs the security of their environment, but we also believe that it is our responsibility to start all of our customers off with the strongest, most reasonable prevention policy.
When allowed to execute any potentially unwanted programs (PUPs) modify systems settings and otherwise expose potentially sensitive information in a manner that presents many of our customers with unwanted risk. Cleaning up after an unintended PUP execution is often resource intensive and these applications are notorious for being difficult to uninstall.
Denying the execution of these applications presents minimal disruption to the business and can be addressed by our customers in one of two ways:
- Explicitly allowing specific applications labeled as a PUP to execute via permissions rules on the policy page, or globally via the reputation page.
- Fine tuning the Adware or PUP rule in your environment to restrict certain behaviors such as ransomware-like activity or scraping memory.
What about customers with existing policies allowing PUP execution?
VMWare Carbon Black recommends adopting the above rule in your organization, but it is important to first assess the impact to your current operating environment. To observe which applications in your environment are labeled as potentially unwanted programs you can execute a search based on a process with the applied reputation of “PUP”.