Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Notepad.exe detected as KNOWN_MALWARE

Carbon Black Cloud: Notepad.exe detected as KNOWN_MALWARE

Environment

  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Symptoms

Windows Event Viewer (Application.evtx) shows:
Event ID: 33
Source: CbDefense
Warning: CldApiLogCloudReputationThreat: Carbon Black Cloud Sensor indicates the file \device\harddiskvolume3\windows\system32\notepad.exe is banned and is likely a virus (Swrort)
  Events in console show:
C:\windows\system32\notepad.exe. The operation was blocked by Cb Defense.

Cause

Analytics change in relation to the reputation for Notepad.exe on June 20th. Resulted in an incorrect KNOWN_Malware reputation

Resolution

  This has been corrected on the backend and these blocks should no longer occur

Additional Notes

  • The notepad.exe file has a sha256 hash value: 0d54da710565a3820860be8df519df62458e9a997bed3c6925665268ecc1086f
  • In this case, Microsoft didn't code-sign this version of Notepad.exe. Microsoft is typically really good at making sure to sign their files, so this rarely happens.  Meanwhile, it's not exactly rare that hackers might try to deploy hijacked or known-vulnerable versions of Notepad.exe.  An unsigned Notepad is a suspicious thing, so automation acted accordingly to update the reputation of the file, despite it being legitimate.

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-23-2022
Views:
1768
Contributors