IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: Multiple Files Name are Blocked or Banned but Detected with Same Hash Value

App Control: Multiple Files Name are Blocked or Banned but Detected with Same Hash Value

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Symptoms

Agent enforcing blocks on multiple files with different file paths/names, but the same hash value in all of them:
  • SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  • SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
  • MD5: D41D8CD98F00B204E9800998ECF8427E

Cause

By default, the Agent does not track empty files (0 Bytes), no matter what the file extension is.

Resolution

Verify a File Rule banning the hash does not exist:
  1. Log in to the Console and navigate to Rules > Software Rules > Files.
  2. Search for the relevant hashes:
  3. If necessary change the Ban to an Approval.
Verify the file on the endpoint is not a 0KB file:
  1. Get the full path from the relevant Execution Block and use PowerShell to issue the following command:
    Get-FileHash "C:\Path\To\file.dll"
  2. If the hash does not match what was reported by the Agent, initiate a Cache Check and choose the option to Rescan Known Files:
    • From the Console: Assets > Computers > relevant Computer > right-hand menu > Perform Cache Consistency Check > Rescan known files
    • Using dascli on the endpoint:
      cd "C:\Program Files (x86)\Bit9\Parity Agent"
      dascli password GlobalPassword
      dascli checkcache 2

Additional Notes

  • The hash: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 is considered Trusted and Reputation is 10
  • VT has reported, hash is clean: VirusTotal

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-29-2022
Views:
1276
Contributors