Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard Sensor: All Versions
- Microsoft Windows: All Supported Versions
Symptoms
Windows Event Viewer (Application.evtx) shows:
Event ID: 33
Source: CbDefense
Warning: CldApiLogCloudReputationThreat: Carbon Black Cloud Sensor indicates the file \device\harddiskvolume3\windows\system32\notepad.exe is banned and is likely a virus (Swrort)
Events in console show:
C:\windows\system32\notepad.exe. The operation was blocked by Cb Defense.
Cause
Analytics change in relation to the reputation for Notepad.exe on June 20th. Resulted in an incorrect KNOWN_Malware reputation
Resolution
This has been corrected on the backend and these blocks should no longer occur
Additional Notes
- The notepad.exe file has a sha256 hash value: 0d54da710565a3820860be8df519df62458e9a997bed3c6925665268ecc1086f
- In this case, Microsoft didn't code-sign this version of Notepad.exe. Microsoft is typically really good at making sure to sign their files, so this rarely happens. Meanwhile, it's not exactly rare that hackers might try to deploy hijacked or known-vulnerable versions of Notepad.exe. An unsigned Notepad is a suspicious thing, so automation acted accordingly to update the reputation of the file, despite it being legitimate.