Environment

• Carbon Black Cloud Web Console: All Versions
• Carbon Black Cloud Sensor: All Versions
• Microsoft Windows: All Versions
• Apple MacOS: All Versions

Question

Answer

• Carbon Black Cloud does allow the initial copying or creation of files on systems, as it does not run a reputation request on file creation. The sensor will wait until one of two conditions are met: 
  • The file to execute, at which time delay execute kicks in 
  • The sensor requests reputation in the next send window 
• The sensor retrieves the reputation before allowing the file to run, so all file access to the malware will be blocked if the appropriate policies are in place. This is done for performance reasons and is expected behavior
• If "Auto-delete known malware hashes after" is not enabled, the sensor will allow the file to remain on the device by default, but an in-place quarantine will prevents the known malware from running or allowing other files to access this file if the applicable policies enabled

Additional Notes

• Depending on the policy rules in place, CBC will prevent any application from accessing a known malware, suspect malware, pup, or company black list file. This behavior is effectively considered a file quarantine or "quarantine-in-place". The read operation will be denied, logged, and provisionally included in any threat that may be created at that time
• The “DENY” action will only deny access to the requested resource, but the “TERMINATE” action will actually terminate the process or thread
• Both “DENY” and “TERMINATE” functions are essentially the same when the operation is “tries to run or is running” and an application is attempting to run for the first time; however, the "TERMINATE" action will be more effective in cases where the application was already running

Related Content