Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CBC: Hash Deleted From the Banned List Retains the COMPANY_BANNED_LIST Reputation

CBC: Hash Deleted From the Banned List Retains the COMPANY_BANNED_LIST Reputation

Environment

  • Carbon Black Cloud Console: All versions
  • Hash added to the Banned List via Enforce > Reputations
  • Banned Hash is removed from Enforce > Reputations 

Symptoms

  • Alerts tied to TTP: COMPANY_BLACKLIST observed after hash is removed from Enforce > Reputations as a blacklist hash
  • Reputation eventually updates and no longer shows COMPANY_BLACK_LIST

Cause

Known issue with the Web Console caching reputations, resulting in delay of clearing previous reputation.

Resolution

This issue is resolved in the PSC Console October '18 release version 0.41.0

Additional Notes

Workaround for Block Due to Reputation:

Workaround for Alerts Due to Reputation:
  • There is no current workaround to resolve the issue of the delay in processing the reputation change when a file hash is removed from the Blacklist.
  • While this delay occurs, Alerts will continue to be generated because of the COMPANY_BLACK_LIST reputation associated with the file.

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎11-20-2018
Views:
624
Contributors