Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: Why is there no Alert in the console after receiving an alert on the Sensor's Local UI?

Cb Defense: Why is there no Alert in the console after receiving an alert on the Sensor's Local UI?

Environment

  • Cb Defense Web Console: All Versions

  • Cb Defense Sensor: All Versions with Local UI Enabled

Question

Why is there no Alert created in the console, despite the sensor receiving an alert pop up notification on the local endpoint?

Answer

  • The sensor will send this event to the console, as an Event on the Investigate page, but will not create an Alert.
  • The alert is not created to prevent a large amount of alerts based on READ events.
  • The Sensor UI will only trigger DENY and TERMINATE notifications for reports on Process Create, File Actions, and reports on malware files scanned by the Local Scanner.
  • The Sensor UI will only alert on these once per 6 hour time period.

Additional Notes

  • Anytime there is pop up notification on the Local UI, you should see the relevant event on the Investigate page of the console.
  • A READ event will be triggered anytime a file is accessed but not modified. So if software like backup programs, or other AV's, touch/scan the file, this will trigger the READ event. If a file/program has read permissions, and attempts to read or access a file, this will be treated as a READ event as well.

Related Content

Cb Defense: Why doesn't POLICY_DENY of KNOWN_MALWARE generate an Alert?

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎05-25-2018
Views:
1610
Contributors