Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Bannded or Malware app was allowed to run although policy rule was in place to deny \ terminate

Endpoint Standard: Bannded or Malware app was allowed to run although policy rule was in place to deny \ terminate

Environment

  • Carbon Black Cloud Web Console: All Versions
  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Versions
  • Apple MacOS: All Versions

Symptoms

  • Banned or Malware app was allowed to run while assigned to a policy that does not have a deny \ terminate rule for malware or blacklist apps (ex. Monitored Policy)
  • The sensor goes offline (e.g. loses network connection)
  • The sensor policy is changed changed to a policy which has a deny \ terminate rule for malware or blacklist apps (ex. Standard Policy)
  • When the sensor comes back online, the events in the Investigate Page are recorded with the updated policy (Standard Policy) instead of the actual policy assigned at the time when the malware \ banned app ran (Monitored Policy)

Cause

When events are sent from a sensor, they are recorded with the policy that the sensor currently has at time the event is ingested, not the policy that the sensor had at the time of event

Resolution

  • VMware Carbon Black is working on a fix which will ensure that the Investigate Page always records the policy assigned at the time of the event
  • To workaround this issue in the meantime, please use to the Audit Log to confirm the policy which was actually assigned at the time of the event

Additional Notes

  • Usually the policy at the time of event and backend ingestion is the same, but if the sensor has been offline then the policy may be different if it was recently changed

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
874
Contributors