Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Why is there an alert for a malicious file inside a directory that is Bypassed?

Carbon Black Cloud: Why is there an alert for a malicious file inside a directory that is Bypassed?

Environment

  • Carbon Black Cloud Web Console: All Versions
  • Endpoint Standard Web Console: All Versions
  • Enterprise EDR Web Console: All Versions
  • Carbon Black Cloud Windows Sensor: All Versions

Question

Why are unexpected alerts for the creation of a malicious file that was generated by RepMgr.exe appearing in the Web Console? The malicious file is located inside a directory that is Bypassed due to a Policy setting.
 

Answer

The combination of several factors creates this unusual situation: 
  • Both Endpoint Standard and Enterprise EDR are enabled.
  • The Policy for the affected endpoint includes a Bypass for the directory where the malicious file exists.
  • The malicious file is shown to have been created by RepMgr.exe, which is a process that's part of the Carbon Black Cloud Sensor.
  • Bypassed directories created by Policy settings do not apply to Enterprise EDR (EEDR) functionality.
  • Because of this, EEDR will scan the hash of all *.exe files written to disk, regardless of their location on the file system/
  • If the hash is determined to be malicious software, then an alert is generated. 
  • But if the malicious file was created inside a directory that was Bypassed by Endpoint Standard, then the name of the process that generated that file will not be documented. 
  • When a process name is not documented in this way, then RedMgr.exe is used instead. 

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎10-10-2022
Views:
145
Contributors