Carbon Black Cloud: Notepad.exe detected as KNOWN_MALWARE
Carbon Black Cloud Console: All Versions
Endpoint Standard Sensor: All Versions
Microsoft Windows: All Supported Versions
Windows Event Viewer (Application.evtx) shows:
Event ID: 33
Warning: CldApiLogCloudReputationThreat: Carbon Black Cloud Sensor indicates the file \device\harddiskvolume3\windows\system32\notepad.exe is banned and is likely a virus (Swrort)
Events in console show:
C:\windows\system32\notepad.exe. The operation was blocked by Cb Defense.
Analytics change in relation to the reputation for Notepad.exe on June 20th. Resulted in an incorrect KNOWN_Malware reputation
This has been corrected on the backend and these blocks should no longer occur
The notepad.exe file has a sha256 hash value: 0d54da710565a3820860be8df519df62458e9a997bed3c6925665268ecc1086f
In this case, Microsoft didn't code-sign this version of Notepad.exe. Microsoft is typically really good at making sure to sign their files, so this rarely happens. Meanwhile, it's not exactly rare that hackers might try to deploy hijacked or known-vulnerable versions of Notepad.exe. An unsigned Notepad is a suspicious thing, so automation acted accordingly to update the reputation of the file, despite it being legitimate.