Environment
- Cb Defense Sensor: 3.2.x
- Blocking and Isolation Policy for "Adware or PUP" is set to terminate upon "Perform ransomware-like behavior" rule
Symptoms
Logs show a Potentially Unwanted Program (PUP) was allowed to execute the function "CreateWindowExW"
Cause
CreateWindowExW is not one of the APIs the sensor checks for ransomware behavior, so this was allowable under the policy.
Resolution
- From the main Dashboard screen, access Enforce > Policies
- Select policy where "Adware or PUP" rule is set to terminate upon "Perform ransomware-like behavior"
- Change policy to "Runs or is running" > "Terminate process"
Additional Notes
- Carbon Black recommends testing policy changes on a test group/environment prior to deployment into production.
Related Content