Environment
- Carbon Black Cloud Sensor: 3.9.2 and prior releases
- Microsoft Windows: All Supported Versions
Symptoms
Alerts for blocking of banned hashes seen after the hash has been removed from the banned list.
Cause
Tracked as a defect: DSEN-21581, and addressed in the 4.0.0.1292 sensor release. In specific edge cases, a sensor can revert to banning a previously banned hash after an unclean endpoint shutdown due to local sensor db corruption and restore to backup.
Resolution
In situations where a banned hash is removed from the banned list, add the same hash to allowed list.
Additional Notes
- Short summary: If you unban a hash, approve it as well until all Windows sensors are updated to 4.0.0.1292 sensor release or newer.
- hashes added to allowed list due to this issue can be removed 2 weeks after being added, once all endpoints have checked in and backup interval has been cleared.
Related Content