Carbon Black Cloud: Sensor still banning a hash that was removed from banned list
Carbon Black Cloud Sensor: All Versions
Microsoft Windows: All Supported Versions
Alerts for blocking of banned hashes seen after the hash has been removed from the banned list.
Tracked as a defect: DSEN-21581, and scheduled to be fixed in a future release. In specific edge cases, a sensor can revert to banning a previously banned hash after an unclean endpoint shutdown due to local sensor db corruption and restore to backup.
In situations where a banned hash is removed from the banned list, add the same hash to allowed list.
Short summary: If you unban a hash, approve it as well until this issue is resolved in a future version of the CBC Windows Sensor.
hashes added to allowed list due to this issue can be removed 2 weeks after being added, once all endpoints have checked in and backup interval has been cleared.