Environment
Carbon Black Cloud Console: All Versions
Question
How does CBC warn you when you try and block Processes on Trusted White List?
Answer
- While investigating an alert please also review the Binary Details of a file. This will allow you to understand more about the file and see how CBC has the file listed.
- If you choose to ban a known good and trusted white list item you will be prompted with a page that will tell you how many times the Hash has been seen in your organization over the last six months along with the current Cloud Reputation and Singed by.
- If you continue to add the file you will be required to select a check a box beside a note stating
"I agree to add this hash to the company Banned list"
with a warning above stating
"This hash is commonly trusted and widely used. Ban Anyway?"
in
Red.
Example:The hash for svchost.exe is an example of a file that will prompt you in this method.
hash:add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88
Prompt #1:
This is a article attached image
Prompt #2:
This is a article attached image
Additional Notes
If you do not use the above process to review the binaries from the investigate page and choose to go to the Enforce and Reputation page you will be taking a risk and bypassing the warning.