Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Windows Sensor: Sensor 3.4 and below
- Microsoft Windows: All Supported Versions
Symptoms
- Endpoint rebooted and Malware application started before CB Defense Sensor
- Sensor does not terminate running Malware process immediately
- Malware application is blocked once the Sensor is loaded fully
Cause
- The CB Defense Sensor may allow brief execution for processes which start before the CB Defense service (RepMgr) is able to run and act on Policy Rules based on the reputation for the application.
- This issue is being tracked for fix with the ID SECEFF-6
Resolution
This issue has been resolved in Sensor Version 3.5 with a new feature that will find all malicious services associated with Known Malware hashes and puts them in a disabled state.
Additional Notes
- Malware can also be removed from the impacted endpoint either manually or automatically using the Malware Removal page in the CB Defense Web Console.
- Go to the Malware Removal page
- Select Mode: Detected to see detected files with malware reputations
- Use the dropdown at the far-right of the line for the desired file to select Delete application
- On the Delete Application pop-up, follow the instructions to confirm that the hash is bad
- Use the radio-buttons to select one of the options to Delete this application from
- This device only
- All devices
- Application will be queued for deletion on the next Sensor check-in
Related Content