Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: All Versions
- Microsoft Windows: All Supported Versions
Question
- Multiple alerts: RemoveSA31Appx.exe
- Reason: The application pcdrwi.exe invoked another application (RemoveSA31Appx.exe). A Deny Policy Action was applied
- Recent TTPs:
- pcdrwi.exe policy_denyrun_unknown_app
Answer
The reputation has been updated so these alerts should no longer occur for this instance of the file
Additional Notes
There is no need to open cases based on this, the reputation is updated. Whitelisting the hash can avoid any additional alerts going forward.
Related Content
