Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: What Does It Mean When An Application Has A Hash Of Zeroes/0s?

Carbon Black Cloud: What Does It Mean When An Application Has A Hash Of Zeroes/0s?

Environment

  • Carbon Black Cloud Console: All Versions
    • Audit and Remediation (was CB LiveOps)
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
    • Managed Detection (was CB ThreatSight)
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions

Question

What does it mean when the hash for an application shows as a long chain of zeroes/0s, or when this message is seen for an Event?
Origin: The file with hash 0000000000000000000000000000000000000000000000000000000000000000 was detected by Confer

Answer

An all zero hash indicates a System process or thread running within the kernel level of the Operating System (OS), and there is not an actual file to be hashed. This will typically show when a System process/thread is performing some work either on the endpoint or over the network.

Additional Notes

  • Blacklisting or otherwise blocking such a hash will have a negative impact on normal Operating System functionality, and should not be done
  • A hash of all zeroes can also be called a synthetic hash

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
594
Contributors