Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: All Supported Versions
Question
Why do the following CB Analytics Alerts show a Sensor process (repmgr.exe) invoking malware in the process tree?
A file (filename.exe) with a reputation of known malware was found on disk.
A known virus (Virus: MalwareName) was detected.
Answer
- Alerts are generated in this format when a file is detected and scanned on the local system by the Sensor's Reputation Manager Service (repmgr.exe) and assigned a malicious reputation.
- Because the event is for the file's persistence, rather than execution, the parent process is shown as the Sensor process responsible for scanning the file.
- The Sensor is not executing the malware file, but is only alerting to its existence after detecting the malicious file.
Additional Notes
- These types of Alerts can be generated in a number of situations, such as during either a Background or On-Demand Scan, after a malicious file is introduced to the local system, or when a previously scanned file has been updated with a malicious reputation.
- Observations of this type will be assigned one of the following TTPs: DETECTED_MALWARE_APP or DETECTED_BANNED_APP.
Related Content