Environment
- Carbon Black Cloud Sensor: All Versions
- Microsoft Windows: All Supported Versions
Symptoms
Alerts for blocking of banned hashes seen after the hash has been removed from the banned list.
Cause
Tracked as a defect: DSEN-21581, and scheduled to be fixed in a future release. In specific edge cases, a sensor can revert to banning a previously banned hash after an unclean endpoint shutdown due to local sensor db corruption and restore to backup.
Resolution
In situations where a banned hash is removed from the banned list, add the same hash to allowed list.
Additional Notes
- Short summary: If you unban a hash, approve it as well until this issue is resolved in a future version of the CBC Windows Sensor.
- hashes added to allowed list due to this issue can be removed 2 weeks after being added, once all endpoints have checked in and backup interval has been cleared.
Related Content
