Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Known Malware Allowed To Run After Reboot

Carbon Black Cloud: Known Malware Allowed To Run After Reboot

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Windows Sensor: Sensor 3.4 and below
  • Microsoft Windows: All Supported Versions

Symptoms

  • Endpoint rebooted and Malware application started before CB Defense Sensor
  • Sensor does not terminate running Malware process immediately
  • Malware application is blocked once the Sensor is loaded fully

Cause

  • The CB Defense Sensor may allow brief execution for processes which start before the CB Defense service (RepMgr) is able to run and act on Policy Rules based on the reputation for the application. 
  • This issue is being tracked for fix with the ID SECEFF-6

Resolution

This issue has been resolved in Sensor Version 3.5 with a new feature that will find all malicious services associated with Known Malware hashes and puts them in a disabled state.

 


    Additional Notes

    • Malware can also be removed from the impacted endpoint either manually or automatically using the Malware Removal page in the CB Defense Web Console.
    1. Go to the Malware Removal page
    2. Select Mode: Detected to see detected files with malware reputations
    3. Use the dropdown at the far-right of the line for the desired file to select Delete application
    4. On the Delete Application pop-up, follow the instructions to confirm that the hash is bad
    5. Use the radio-buttons to select one of the options to Delete this application from
      • This device only
      • All devices
    6. Application will be queued for deletion on the next Sensor check-in

    Related Content


    Was this article helpful? Yes No
    100% helpful (1/1)
    Article Information
    Author:
    Creation Date:
    ‎08-09-2018
    Views:
    2631
    Contributors