Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: What does "MALWARE_SERVICE_DISABLED" & "MALWARE_SERVICE_FOUND" TTP mean?

Carbon Black Cloud: What does "MALWARE_SERVICE_DISABLED" & "MALWARE_SERVICE_FOUND" TTP mean?

Environment

  • Carbon Black Cloud Console: All Versions
  • Microsoft Windows: All Supported Versions

Question

What does "MALWARE_SERVICE_DISABLED" & "MALWARE_SERVICE_FOUND" TTP mean?

Answer

  • When a Malware Service is disabled, analytics will generate the following alert text and augment TTP MALWARE_SERVICE_DISABLED
The known virus ‘x’ was detected and associated with the service ‘y’ configured to launch as ‘z’. A Disable Service Policy Action was applied.
  •  When a Malware Service is found but not disabled, analytics will generate the following alert text and augment with TTP MALWARE_SERVICE_FOUND
The suspected virus ‘x’ was detected and associated with the service ‘y’ configured to launch as ‘z’.

NOTE: Where x = malware name, y = service name, z = launch mode

Additional Notes

  • Starting in Sensor version 3.5, a new feature has been added which will find all malicious services associated with Known Malware hashes and puts them in a disabled state. 
  • Malicious services that run at start-up have the potential to execute and impact the endpoint before the sensor starts up.
  • If the sensor disables the malware service, the service(s) remain in disabled state across reboots, and therefore cannot execute at startup.
  • If a service binary in question was not malicious or if some other tool is used to clean the malware, then the sensor will not automatically enable the service again.
  • This feature only applies to files with a Known Malware reputation.
  • Adding the file hash to the Company Approved List will override this behavior.

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
582
Contributors