Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Why are MD5 Hash Values Included in Some Event Data?

Carbon Black Cloud: Why are MD5 Hash Values Included in Some Event Data?

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Endpoint Standard Sensor: All Supported Versions
  • Carbon Black Cloud Enterprise EDR Sensor: All Supported Versions

Question

Why are MD5 hash values included in Event and Alert data in the Console when the policy option "Hash MD5" is unchecked?


Answer

  • Customers with Enterprise EDR will always hash MD5. 
  • Customers with Endpoint Standard + Enterprise EDR will see that MD5s are hashed even with the policy setting unchecked.
  • Customers with Endpoint Standard only should not see MD5 hashes when this option is unselected if seen please reach out.

Additional Notes

  • The Hash MD5 option will prevent the Sensor from calculating MD5 hashes when the calculation will affect a process at startup; otherwise, MD5 hashes will still be calculated.
  • The Hash MD5 option will not affect hash calculations that occur after a process has started and the Sensor has performed initial reputation look ups 
  • For environments with Endpoint Standard and Enterprise EDR, Enterprise EDR data will always generate the MD5 hash regardless of the policy settings

Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎04-09-2019
Views:
1161
Contributors