Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How does CBC warn you when you try and block Processes on Trusted White List?

Carbon Black Cloud: How does CBC warn you when you try and block Processes on Trusted White List?

Environment

Carbon Black Cloud Console: All Versions

Question

How does CBC warn you when you try and block Processes on Trusted White List?

Answer

  1. While investigating an alert please also review the Binary Details of a file. This will allow you to understand more about the file and see how CBC has the file listed.
  2. If you choose to ban a known good and trusted white list item you will be prompted with a page that will tell you how many times the Hash has been seen in your organization over the last six months along with the current Cloud Reputation and Singed by.
  3. If you continue to add the file you will be required to select a check a box beside a note stating
"I agree to add this hash to the company Banned list"
           with a warning above stating
"This hash is commonly trusted and widely used. Ban Anyway?"
          in Red.
Example:
The hash for svchost.exe is an example of a file that will prompt you in this method.
hash:add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88
Prompt #1:
This is a article attached imageThis is a article attached image
Prompt #2:
This is a article attached imageThis is a article attached image



 

Additional Notes

If you do not use the above process to review the binaries from the investigate page and choose to go to the Enforce and Reputation page you will be taking a risk and bypassing the warning. 

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-17-2022
Views:
256
Contributors