logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: What type of files does "Ban The Hash' block?

EDR: What type of files does "Ban The Hash' block?

Environment

  • EDR (formerly CB Response) : All versions

Question

What type of files does "Ban The Hash' block? Does it ban Word document?

Answer


The EDR banning feature identifies and bans processes based on their MD5 hash. It does not ban shared libraries, such as DLLs, SYSs, CPLs, and OCXs.

Additional Notes

  • Binary: Executable file (for example, PE Windows file, ELF Linux file, or Mach-O Macintosh file) that is loaded onto a computer file in binary form for computer storage and processing purposes.
  • EDR only collects binaries that execute. It does not collect scripts, batch files, or computer files that are created or modified. 
  • EDR does collect the script or batch file names from command prompts and command lines. 
  • EDR also collects file names and paths as they are created or modified. 
  • If using winword.exe to open a word document, there will be a filemod event of this word document under process winword.exe. However, EDR doesn't provide a way to ban this Word document directly.
  • EDR does not support SHA-256 banning even though it's possible to see SHA-256 hashes

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎12-07-2018
Views:
3307
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.