Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black - Process Document Tagging Changes

Carbon Black - Process Document Tagging Changes

This document applies to Carbon Black versions 5.0 through 5.0 patch 3

Overview:

This document outlines some changes that have been made to the behavior of Carbon Black and how it tags md5 feed hits on both processes and binaries.  This behavior changed with 5.0, was reverted with 5.0 patch 1, and will change again in 5.0 patch 3 and 5.1.  

In 5.0 a change was made so that feed hits on an md5 within a feed would be generated when both the binary matching the md5 was seen and every time a process executed with that md5 as either an executable or module.  This means that, if enabled, feeds like NVD would generate an alert every time a process with a vulnerable executable or module executed, not just when the binary was first seen.    This change resulted in an unintended consequence of a high volume of feed hit events on the enterprise bus for feeds that have a high hit rate.  Particularly with the SRS trust feed, which hits on md5s quite frequently, and on the Virus Total feed for binaries flagged with low scores such as 1 and 2.  

As a fix to the performance issues, a change to was made with 5.0 patch 1 that changed the default behavior of Carbon Black and undid some of the 5.0 functionality.   This resulted in the behavior that md5 feed hits (and resulting alerts), were only generated when the binary was seen, not every time the process executes.   This reverts back to the pre 5.0 behavior, and might result in missed alerts on feeds like NVD that the user would expect to alert every time the application is run, not just on the first time the binary is seen.

In 5.0 patch 3 and 5.1 the changes will be undone and the default behavior will revert to the 5.0 behavior such that both process documents and binary documents will be tagged with md5 hits and the associated alerts will be generated each time the process is seen, not just the first time the binary is seen.   A few other checks have been added to Carbon Black to avoid the performance issues.

For those users on 5.0 patch 1 and patch2, the cb.conf value “EnableProcessMd5FeedHits” can be set to true to revert the system behavior back to the 5.0 functionality.   Beginning with 5.0 patch 3 that value will have a default configuration of true. 

Background and Details:

In Carbon Black versions up to 4.x, an md5 within a feed would only get tagged on a binary document, and not on any processes that loads an executable or module with that md5.   This meant that when a binary with a md5 matching a feed was executed on a Carbon Black system, the enterprise bus would only broadcast a feed hit when the binary was seen.   Any subsequent executions of that binary would not generate a feed hit.   A process document would not be tagged for any executable or module that matches a feed md5, but the associated binary document would be tagged.  When you search in the process analyze page, the server performs a join operation across both the binary and process documents. This allows the user to perform a process search based on the score of an md5 tagged on a binary document, such as “alliance score greater than 0” (alliance_score_nvd:[1 TO *]). 

With addition of alerts in 5.0, the development team felt it was necessary to add tagging of feed md5s to process documents in addition to the binary docs so that alerts would be generated every time a process with the md5 is seen.  This means we generate a enterprise bus event, generate any configured alert, and tag the process document.   This allows for the generation of alerts with the NVD feed every time the vulnerable executable is executed not just the first time the binary was seen.  This is desired behavior as it allows the user to see the vulnerable process every time it executes.  

After the 5.0 release a few customers with large deployments noticed a performance impact on their Carbon Black servers.   After an investigation it was discovered that the SRS trust feed was generating a substantial number of feed hits for documents with a negative trust score (positive trust).   A similar impact was seen with Virus total where a high number of md5s were tagged with a low score of 1.    As part of the fixes included with 5.0 patch 1, a cb.conf configuration value (EnableProcessMd5FeedHits) with a default value of false was introduced to revert the 5.0 behavior back to 4.X behavior and avoid the feed hits being generated for a high number of process.  A second fix was also introduced that set a per-feed threshold for for generating a feed hit bus event (and alert).  This was set to 0 for SRS trust and 3 for Virus total.  This change means that almost all SRS trust feed entries and some Virus Total feed entries (score < 3) will not generate a bus event on a feed hit and will not generate an alert. 

An unintended consequence of the changes introduced with 5.0 patch 1 is that alerts are no longer generated every time a process executes with a feed md5, but instead only the first time the binary is seen.  This makes the NVD feed far less valuable and might result in missed executions.  

To avoid this unintended change in behavior,  5.0 patch 3 will set the default value of the configuration value “EnableProcessMd5FeedHits” to true, so that each execution of a process with a md5 matching a feed will result in a bus event and subsequent alert.  The exception to this is if the feed score for that md5 is below the feed score threshold.  In that case no bus event will be generated and subsequently, no alert. 


Moving forward, the default behavior will be to have (EnableProcessMd5FeedHits) enabled.  The default threshold for feed hits in the SRS Trust feed (FeedHitMinScoreSrsTrust) will be set at 0 and the default threshold for the Virus Total feed (FeedHitMinScoreVirusTotal) will be 3.  We do not recommend changing the SRS Trust and Virus Total feed thresholds values to lower values and enabling X at the same time for large deployments.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-01-2015
Views:
859
Contributors