logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud Console: Trusted File has reputation of KNOWN_MALWARE (False Positive)

Carbon Black Cloud Console: Trusted File has reputation of KNOWN_MALWARE (False Positive)

Environment

  • Carbon Black Cloud Console:  All Versions

Symptoms

  • Application is being stopped by Sensor Policy
  • Application has a reputation that triggers a policy action
  • Review of application shows it is trusted by users

Cause

Application has reputation of KNOWN_MALWARE from behavior or operations

Resolution

  • Verify that the application is trusted for the environment
  • If the file is known good and validated by the developer as such, approve the application by adding its SHA256 hash to the "Approved List"

Additional Notes

In situations where the application is under constant development and presents similar behavior and/or operations as what triggered the initial conviction, it's possible the new versions of the executable may trigger blocks or it might be terminated depending on the policy the endpoint has been assigned to.  If the file has been categorized as malware, suspicious malware or otherwise malicious while the business is certain the file is not malicious (false positive) please engage support to have the reputation of the file reassessed and cleared if deemed clean after analysis.  Of course, every time code is compiled, a new SHA256 value will be generated.

When submitting false positives, please refer to this KB, and kindly provide the following information:

  • Name of affected file
  • SHA256 value of the file
  • Affected Machine Name
  • Policy name assigned to the affected machine
  • AlertID or EventID

In the interim, please add the new SHA256 to the approved list by hash. Adding multiple hashes can be accomplished through the csv upload functionality, as explained here.

Alternatively, for developer environments, the IDE/compiler should be added as an IT Tool allow list. Once added, any subsequent file compiled by the tool will be given a local_white reputation.  Please note this only affects the local machine's reputation.

If adding the newly updated executable's SHA256 to the approved list is not feasible, as a temporary workaround a permission rule to bypass the path where the application resides can be added to the policy.
 

Application at Path: <file path for application> 
Operation: Runs or is running 
Action: Allow & Log


We recommend creating a temporary policy and limiting the number of endpoints added to it, as these types of bypass rules can represent a risk and can affect the organization security posture.  Adding a permission by hash value while the investigation is ongoing is the preferred method, when certain the file is in fact clean.


Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
1325
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.