Environment
- Carbon Black Cloud Sensor: 3.7 and Below
- Microsoft Windows: All Supported Versions
Symptoms
- Alert Reason: Process <process_name> was detected by the report "Defense Evasion - Execution from Recycle Bin" in watchlist "Carbon Black Advanced Threats"
- Path for event starts with 'c:\$recycle.bin'
Cause
Suspected bug with normalization - DSEN-15324
Resolution
Upgrade sensor to the latest 3.8+ sensor version