Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: What is "Block known bad files before execution" setting (Linux)

Carbon Black Cloud: What is "Block known bad files before execution" setting (Linux)

Environment

  • Carbon Black Cloud Console: Build 1.23 and Higher
  • Linux: Sensor Version 2.16.0 and Higher
  • OS Distributions supported: eBPF Distros

Question

What is "Block known bad files before execution" setting?

Answer


Inline Blocking (ILB) is an advanced Linux security measure aimed at identifying and preventing the execution of malicious binaries.

Additional Notes

  • To enable Inline Blocking, follow the steps below: 
    1. Log into the Console
    2. Navigate to Enforce page
    3. Navigate to Policies
    4. Enable “Block known bad files before execution”.
  • Tip: “Pause executables to analyze and attempt to block known bad files before they run. Increases security but may impact overall performance in high-performance computing environments.”
  • To mitigate potential adverse effects on system performance, we've implemented a timeout for the delay. 
  • Enabling this feature for Sensors that are not running supported versions will not have an affect on the endpoint.
  • Before the implementation of Inline blocking, our sensor permitted all binaries to initiate running long enough to compute their hashes and assess them based on the local cached policy rules. In case of identifying a malevolent binary, the system would terminate its process. Carbon Black Cloud's new inline blocking for Linux improves on the existing Linux prevention capability by eliminating the ability for short-running binaries to execute before being entirely restricted.

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-21-2024
Views:
188
Contributors