Environment
- Carbon Black Cloud Web Console: All Versions
- Carbon Black Cloud Sensor: All Versions
Question
Why was Malware allowed to run, despite policy settings to Terminate 'Known Malware' when 'runs or is running' before being blocked & terminated by the CBC a short time later
Answer
- The file/hash concerned did not have a 'Known Malware' Reputation at the time of the events
- The reputation that was 'Applied' at the time was 'Not Listed', because neither our Local AV Scanner, nor our CDC Reputation Service had any information that this was Malware
- Once the file received an updated reputation from our CDC of 'Known Malware', the policy settings kicked in and Terminated any related events
Additional Notes
- Always check the events to see what reputation was 'applied' to either the Process or the Target
- It will look something like this on the Investigate Page: App reputation (applied, AV scan), or, Target reputation (applied, cloud)
- You may see 2 entries for reputation, but it is the 'Applied Reputation' that comes into play - the other, is the reputation of the file currently, not at the time of the event
Related Content