Environment
- Carbon Black Cloud Console - All Versions
- Endpoint Standard Sensorr: 3.0.x.x and Higher
Symptoms
- Priority 8 Alert - The [application name] attempted to access the raw disk on the device. TTPs: "kernel_access" and "set_system_file"
This is a article attached image
- Priority 8 Alert - The [application name] attempted to modify a user data file. TTPs: "access_data_files" and "data_to_encryption"
This is a article attached image
Cause
- The first type of alert will be generated for all applications attempting to access the raw disk. Not just Outlook. Carbon Black made some improvements to sensor version 3.1 to which would help mitigate the first type of false positive, however, even with these improvements it is still possible that this false positive may occur. This KB will be updated with the sensor release that will contain the complete fix for this issue once it has been confirmed.
- However, the second issue has not yet been fixed. In sensor version 3.0.1, the product was reporting on any access to these decoy files on systems irrespective of application reputation or policy, so we created a fix in sensor version 3.0.2.2 to significantly reduced the sensitivity of canary modification detection. See Cb Defense Windows Sensor 3.0.2 Release Notes.pdf. However, even with this fix, we observed that false positives of this type are still occurring to a lesser degree. We are currently investigating a way to refine the sensitivity of canary file detection even further. This KB will be updated with the sensor release that will contain this fix once it has been confirmed.
Resolution
There is no resolution to this issue currently, but dismissing these Alerts will reduce noise generated in the interim.
If you suspect that there are other ransomware false positives outside of the two which have been described in this article, please create a support case with the Alert ID (formerly called Incident ID).
If you suspect that there are other ransomware false positives outside of the two which have been described in this article, please create a support case with the Alert ID (formerly called Incident ID).
Additional Notes
User data files are decoy files that are owned by the sensor and which are hidden throughout the filesystem. These files are designed to be interesting to ransomware and are encrypted early in a ransomware attack. To determine if the alert was caused by a canary file use this process.
Since these false positives are generated because of the Enhanced Ransomware Detection available in Sensor version 3.0.x.x and higher, both of the aforementioned false positives will occur regardless of application reputation or policy. While we are working to provide a resolution to these issues, there are two things you can do to filter out these false positives from your Alert view.
- When using the alerts page use the search query: NOT (KERNEL_ACCESS OR SET_SYSTEM_FILE OR DATA_TO_ENCRYPTION OR ACCESS_DATA_FILES)
- Dismiss alerts for trusted applications and select the checkbox, ‘Apply for future instances’. Please ensure that the 'Group Alerts' option is turned on otherwise the 'Apply for future instances' option does not take effect.
Related Content
Cb Defense: How To Enable Enhanced Ransomware Protection
Cb Defense Ransomware False Positives
Cb Defense: How to Verify Authenticity of Canary Files
Cb Defense Windows Sensor 3.0.2 Release Notes.pdf
Carbon Black Cloud: How to Close Alerts
Endpoint Standard: Event ID vs Alert ID vs Threat ID
Endpoint Standard: How to Verify a Decoy/Canary File is involved in an Alert
Cb Defense Ransomware False Positives
Cb Defense: How to Verify Authenticity of Canary Files
Cb Defense Windows Sensor 3.0.2 Release Notes.pdf
Carbon Black Cloud: How to Close Alerts
Endpoint Standard: Event ID vs Alert ID vs Threat ID
Endpoint Standard: How to Verify a Decoy/Canary File is involved in an Alert
Thank you for your feedback.
Your feedback has been submitted and will be reviewed.