logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Cb Defense: Alerts When Document "acted as a network server"

Cb Defense: Alerts When Document "acted as a network server"

Environment

  • Cb Defense Web Console: All Versions
  • Cb Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple Mac OS: All Supported Versions

Symptoms

  • Priority 3 Alert (Monitored) - "The application filename.pdf acted as a network server." with TTPs: HAS_SCRIPT_DLL, RUN_ANOTHER_APP, RUN_UNKNOWN_APP, ACTIVE_SERVER, MODIFY_PROCESS , Or NETWORK_ACCESS
  • Alerts are created when .doc, .pdf, .xlsm, etc. files attempt to communicate over the network or establish a network connection.
  • Alerts continue to re-occur even if dismissed with the option "If this alert occurs in the future, automatically dismiss it from all devices" selected.

Cause

  • These types of alerts may occur when a document management server is used to either pull a document or a resource from within the document; In that case this type of an alert would be a false positive.
  • The reason why these Alerts may re-occur is because whenever the hash of a .pdf, .txt, .doc, etc. file changes, a new Threat ID is assigned to the Alert and it will need to be reviewed and dismissed again as described in Cb Defense: Alert ID vs. Threat ID

Resolution

  • There are a number of ways to help reduce the "noise" within your environment including the use of bulk dismissal for verified false positive alerts as well as adjusting the priority threshold within your environment to a level that will allow you to be alerted to the events that warrant the most revision; In this case it would be raising the threshold to level "4".
  • Ensure the "Group Alerts" option is always enabled when dismissing Alerts and ensure that "If this alert occurs in the future, automatically dismiss it from all devices" is selected as this will prevent future Alerts of this type in the case of a specific hash.

Additional Notes

Another way to mitigate these false positives without compromising security would be to have the option of whitelisting by IP address. This functionality is not currently supported by Cb Defense. If you wish to see it added to the product, please up-vote the following ideas or create new one(s) based on your specific use-case(s).

Related Content

Cb Defense: How is event data categorized, identified, and formed into an Alert?

Cb Defense: Severity, Threat Level, Target Value, Malware Types Information 
Cb Defense: How do I determine which Ransomware Alerts are False Positives?

Cb Defense: Achieving Good, Better and Best Policies

Cb Defense: How to Dismiss Alerts

Cb Defense: How is event data categorized, identified, and formed into an Alert?

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
alabine
Creation Date:
‎05-02-2018
Views:
1383
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.