logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Sensor still banning a hash that was removed from banned list

Carbon Black Cloud: Sensor still banning a hash that was removed from banned list

Environment

  • Carbon Black Cloud Sensor: 3.9.2 and prior releases
  • Microsoft Windows: All Supported Versions

Symptoms

Alerts for blocking of banned hashes seen after the hash has been removed from the banned list.

Cause

Tracked as a defect:  DSEN-21581, and addressed in the 4.0.0.1292 sensor release.  In specific edge cases, a sensor can revert to banning a previously banned hash after an unclean endpoint shutdown due to local sensor db corruption and restore to backup.  
 

Resolution

In situations where a banned hash is removed from the banned list, add the same hash to allowed list.  

Additional Notes

  • Short summary: If you unban a hash, approve it as well until all Windows sensors are updated to 4.0.0.1292 sensor release or newer.
  • hashes added to allowed list due to this issue can be removed 2 weeks after being added, once all endpoints have checked in and backup interval has been cleared.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-22-2023
Views:
370
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.