Environment
- Endpoint Standard (Formerly CB Defense) Sensor: All Versions
Question
Why was a file classified as Known Malware allowed to be dropped on an endpoint?
Answer
Sensors will not block the action of dropping a file. If the file were to execute, the sensor would handle the malware based on the sensor's group policy settings.
Additional Notes
- To prevent attacks from the file, keep sensors up-to-date with a recent sensor version and ensure policies take action for Known Malware applications.
- Once the file is dropped, the file will be isolated in place based on policy actions rather than being moved to a specific isolation folder
- Endpoint Standard sensor will not remove files detected as known malware. Deletion of malware requires administrative intervention
- The file drop alert will show a status of Ran. This applies to the action of dropping the file and not the malicious file being run
- Company-Banned files are treated the same way as Known Malware in this article's context.
Related Content