Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Why Does an Alert Show repmgr.exe as the Parent Process for a Malware Detection?

Carbon Black Cloud: Why Does an Alert Show repmgr.exe as the Parent Process for a Malware Detection?

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Supported Versions

Question

Why do the following CB Analytics Alerts show a Sensor process (repmgr.exe) invoking malware in the process tree?
A file (filename.exe) with a reputation of known malware was found on disk.

A known virus (Virus: MalwareName) was detected.

Answer

  • Alerts are generated in this format when a file is detected and scanned on the local system by the Sensor's Reputation Manager Service (repmgr.exe) and assigned a malicious reputation.
  • Because the event is for the file's persistence, rather than execution, the parent process is shown as the Sensor process responsible for scanning the file.
  • The Sensor is not executing the malware file, but is only alerting to its existence after detecting the malicious file.

Additional Notes

  • These types of Alerts can be generated in a number of situations, such as during either a Background or On-Demand Scan, after a malicious file is introduced to the local system, or when a previously scanned file has been updated with a malicious reputation.
  • Observations of this type will be assigned one of the following TTPs: DETECTED_MALWARE_APP or DETECTED_BANNED_APP.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-02-2023
Views:
489
Contributors