Environment
- CB Defense PSC Console: All Versions
Symptoms
- In the Investigate Page, the Application name is blank or missing from the the Selected App, Target App, or Parent App tabs when selecting an event
- The SHA256 Hash, Signed By, and Reputation fields are populated
- This behavior is mainly observed on VDI or virtual devices, but it can also occur on physical devices as well
Cause
- It is expected that occasionally application names will be blank while all other fields i.e. SHA256 Hash, Signed By, and Reputation fields are populated
- To combat attacks where a file is renamed to avoid arousing suspicion, the Selected App, Target App, or Parent App tabs will remain blank if the metadata file did not contain an application name or if the the Predictive Security Cloud (PSC) had a filename that conflicted with the filename on disk.
- The purpose of this behavior is to show that there may be differences between the filename in the event details (filename on disk) and the PSC or metadata file.
Resolution
- Expand the event details and use the Parent name field to confirm the Parent App name recorded on the device disk.
- Expand the event details and use the Process name field to confirm the Selected App name recorded on the device disk.
- Expand the event details and use the Target name field to confirm the Target App name recorded on the device disk.
Additional Notes
- The PSC uses the event details to populate the application name stored on the device disk and the Selected App, Target App, or Parent App tabs to populate the application name provided in the file's metadata or the application name provided by the Carbon Black PSC for that hash. Internal Reference: DSER-2384
- Carbon Black engineering has also found that the Application Name is missing for legitimate applications because the PSC has trouble getting the Application Name in certain instances. Internal Reference: DSER-16912
Thank you for your feedback.
Your feedback has been submitted and will be reviewed.