Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

Cb Defense Sensor: 3.2.x
Blocking and Isolation Policy for "Adware or PUP" is set to terminate upon "Perform ransomware-like behavior" rule

Symptoms

Logs show a Potentially Unwanted Program (PUP) was allowed to execute the function "CreateWindowExW"

Cause

CreateWindowExW is not one of the APIs the sensor checks for ransomware behavior, so this was allowable under the policy.

Resolution

From the main Dashboard screen, access Enforce > Policies
Select policy where "Adware or PUP" rule is set to terminate upon "Perform ransomware-like behavior"
Change policy to "Runs or is running" > "Terminate process"

Additional Notes

Carbon Black recommends testing policy changes on a test group/environment prior to deployment into production.

Related Content

https://community.carbonblack.com/t5/iconectiv/Cb-Defense-Achieving-Good-Better-and-Best-Policies/gp...
https://community.carbonblack.com/t5/Cb-Defense-Discussion/Cb-Defense-Achieving-Good-Better-and-Best...
https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-How-to-Find-Policy-Actions-in-the-Web...

Article Information

Author:

Creation Date:

‎09-17-2018

Views:

1316

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.