Environment
- Carbon Black Cloud Web Console: All Versions
- Carbon Black Cloud Sensor: All Versions
- Microsoft Windows: All Versions
- Apple MacOS: All Versions
Symptoms
- Banned or Malware app was allowed to run while assigned to a policy that does not have a deny \ terminate rule for malware or blacklist apps (ex. Monitored Policy)
- The sensor goes offline (e.g. loses network connection)
- The sensor policy is changed changed to a policy which has a deny \ terminate rule for malware or blacklist apps (ex. Standard Policy)
- When the sensor comes back online, the events in the Investigate Page are recorded with the updated policy (Standard Policy) instead of the actual policy assigned at the time when the malware \ banned app ran (Monitored Policy)
Cause
When events are sent from a sensor, they are recorded with the policy that the sensor currently has at time the event is ingested, not the policy that the sensor had at the time of event
Resolution
- VMware Carbon Black is working on a fix which will ensure that the Investigate Page always records the policy assigned at the time of the event
- To workaround this issue in the meantime, please use to the Audit Log to confirm the policy which was actually assigned at the time of the event
Additional Notes
- Usually the policy at the time of event and backend ingestion is the same, but if the sensor has been offline then the policy may be different if it was recently changed
Related Content
