Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Why was Malware allowed to run before being blocked?

Endpoint Standard: Why was Malware allowed to run before being blocked?

Environment

  • Carbon Black Cloud Web Console: All Versions
  • Carbon Black Cloud Sensor: All Versions

Question

Why was Malware allowed to run, despite policy settings to Terminate 'Known Malware' when 'runs or is running' before being blocked & terminated by the CBC a short time later

Answer

  • The file/hash concerned did not have a 'Known Malware' Reputation at the time of the events
  • The reputation that was 'Applied' at the time was 'Not Listed', because neither our Local AV Scanner, nor our CDC Reputation Service had any information that this was Malware
  • Once the file received an updated reputation from our CDC of 'Known Malware', the policy settings kicked in and Terminated any related events

Additional Notes

  • Always check the events to see what reputation was 'applied' to either the Process or the Target
  • It will look something like this on the Investigate Page: App reputation (applied, AV scan), or, Target reputation (applied, cloud)
  • You may see 2 entries for reputation, but it is the 'Applied Reputation' that comes into play - the other, is the reputation of the file currently, not at the time of the event

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
705
Contributors