Access official resources from Carbon Black experts
Advanced Search
IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!
Cb Defense: Application name is blank in Selected App, Target App, or Parent App tabs
Environment
CB Defense PSC Console: All Versions
Symptoms
In the Investigate Page, the Application name is blank or missing from the the Selected App, Target App, or Parent App tabs when selecting an event
The SHA256 Hash, Signed By, and Reputation fields are populated
This behavior is mainly observed on VDI or virtual devices, but it can also occur on physical devices as well
Cause
It is expected that occasionally application names will be blank while all other fields i.e. SHA256 Hash, Signed By, and Reputation fields are populated
To combat attacks where a file is renamed to avoid arousing suspicion, the Selected App, Target App, or Parent App tabs will remain blank if the metadata file did not contain an application name or if the the Predictive Security Cloud (PSC) had a filename that conflicted with the filename on disk.
The purpose of this behavior is to show that there may be differences between the filename in the event details (filename on disk) and the PSC or metadata file.
Resolution
Expand the event details and use the Parent name field to confirm the Parent App name recorded on the device disk.
Expand the event details and use the Process name field to confirm the Selected App name recorded on the device disk.
Expand the event details and use the Target name field to confirm the Target App name recorded on the device disk.
Additional Notes
The PSC uses the event details to populate the application name stored on the device disk and the Selected App, Target App, or Parent App tabs to populate the application name provided in the file's metadata or the application name provided by the Carbon Black PSC for that hash. Internal Reference: DSER-2384
Carbon Black engineering has also found that the Application Name is missing for legitimate applications because the PSC has trouble getting the Application Name in certain instances. Internal Reference: DSER-16912