Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Is all Windows API activity captured?

Carbon Black Cloud: Is all Windows API activity captured?

Environment

  • Carbon Black Cloud(Formerly PSC) Console: All Supported Versions
    • Endpoint Standard(Formerly CB Defense)
    • Enterprise EDR(Formerly CB ThreatHunter)
    • Workload(Formerly CB Defense for VMware + VMware AppDefense)
    • Audit and Remediation(Formerly CB LiveOps)
  • Microsoft Windows: All Supported Versions

Question

Since it is possible for a malware to utilize API calls to perform malicious activity, are all APIs monitored?

Answer

Sensor 3.8 and Above
  • Enterprise EDR (EEDR) Windows sensors now detect and report associated API information relating to Windows cross process events (previously available in Endpoint Standard-enabled environments only) in Sensor Version(s) 3.8 and above. Users can now search on crossproc_api events within the admin console in EEDR-only environments.
Sensor 3.7 and Below
  • It is not possible to monitor all APIs in Sensor Version(s) 3.7 and below. The Sensor will monitor all behavior and related TTPs will be captured

Additional Notes

Although a subset of monitored APIs can be exposed with search field crossproc_api, API specific monitoring will be avoided going forward in future sensor versions

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎12-16-2020
Views:
8877
Contributors