Carbon Black Cloud: Why is malware allowed to propagate to other devices?
Carbon Black Cloud Web Console: All Versions
Carbon Black Cloud Sensor: All Versions
Microsoft Windows: All Versions
Apple MacOS: All Versions
Why is malware allowed to propagate to other devices?
Carbon Black Cloud does allow the initial copying or creation of files on systems, as it does not run a reputation request on file creation. The sensor will wait until one of two conditions are met:
The file to execute, at which time delay execute kicks in
The sensor requests reputation in the next send window
The sensor retrieves the reputation before allowing the file to run, so all file access to the malware will be blocked if the appropriate policies are in place. This is done for performance reasons and is expected behavior
If "Auto-delete known malware hashes after" is not enabled, the sensor will allow the file to remain on the device by default, but an in-place quarantine will prevents the known malware from running or allowing other files to access this file if the applicable policies enabled
Depending on the policy rules in place, CBC will prevent any application from accessing a known malware, suspect malware, pup, or company black list file. This behavior is effectively considered a file quarantine or "quarantine-in-place". The read operation will be denied, logged, and provisionally included in any threat that may be created at that time
The “DENY” action will only deny access to the requested resource, but the “TERMINATE” action will actually terminate the process or thread
Both “DENY” and “TERMINATE” functions are essentially the same when the operation is “tries to run or is running” and an application is attempting to run for the first time; however, the "TERMINATE" action will be more effective in cases where the application was already running