logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

December 2016 Alert of Potential Product Issue - Cb Protection (Bit9)

December 2016 Alert of Potential Product Issue - Cb Protection (Bit9)

Cb Protection Rules Missing Action & Operation Settings

Summary

Within Cb Protection we have identified an issue in which rules may lose their ability to detect and respond to operations which can lead to security or operational weaknesses. We estimate this issue affected fewer than 4% of customers and we are reaching out to those that we believe have been impacted.

Details

During our QA process we uncovered a defect that could render a rule ineffective because of the removal of action and operations from the rule.

All Cb Protection rules contain Operation and Action fields that tell the agent what to look for and what to do when the agent encounters the operation.

We have determined that in two situations the Operation and Action of a rule can be unintentionally set to detect nothing and do nothing. Those situations occur when:

  • A rule is edited/modified using the hidden settings that require ShowHiddenCustomRules to be enabled
  • Modifying  or Enabling a Sample rule provided by Carbon Black within Cb Protection 7.2.1+ and then upgrading to 7.2.3 (with the exception of 7.2.3 Patch 4)

Impacted Versions

Customers running 7.2.1 and later excluding new customers who initially installed 7.2.3 Patch 4.

Known Customer Impact

We estimate this issue has affected less than 4% of our customers.

Security Impact

Depending on the environment and the intention of the rule, the impact will vary.

Affected rules that are designed to report or block will not perform either action. For example, if the Autostart Rule that ships with the product with an action of Report is impacted, it would not report any changes when a registry autostart location was modified. This could be considered a security risk.

Similarly an impacted rule that is designed to allow an application to run on a system configured for High Enforcement would not actually allow the file to execute and result in an unwanted block. While certainly a nuisance, this likely isn’t a security risk.

In both cases the rule did not do what it was intended, however the security impact may vary.

Remediation

For customers connecting to Cb Collective Defense Cloud (formerly known as SRS), a set of health indicators will be delivered via the cloud to your server running Cb Protection 7.2.1 or later. There are two separate health indicators. One displays rules that you can fix from within the console. The other displays rules that need to be fixed with the assistance of Carbon Black Technical Support. Information will be provided in the alert on how to address any impacted rules.

If the health indicator detects a rule with a missing Operation and Action an alert will display within the console. Conversely, if you do not have any impacted rules, the health indicator will inform you of that as well.

If you are not connecting to the Cb Collective Defense Cloud, you can install the health indicators by running the attached SQL script on your Cb Protection database.

If you have any questions or need assistance with installing the health indicators, please contact Cb Technical Support.

Attachments
InstallRuleIndicators.sql.zip
Was this article helpful? Yes No
No ratings
Article Information
Author:
ddewald
Creation Date:
‎12-12-2016
Views:
1124
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.