Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Deny/Terminate action taken on Whitelist Application

Endpoint Standard: Deny/Terminate action taken on Whitelist Application

Environment

  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard Sensor: All Versions
  • Microsoft Windows: All Versions
  • Apple MacOS: All Versions

Symptoms

  • Deny/Terminate action taken on trusted white application
  • Application initially has a reputation other than trusted white i.e. UNKNOWN, NOT_LISTED, RESOLVING, ADAPTIVE, etc..
  • Application process started when reputation was not trusted white
  • Application process continued to run after reputation was upgraded to trusted white

Cause

  • Reputation changes will not result in a change to the applied policy for a currently running process. 
  • For example, if a terminate not listed for scrape memory rule is in place and chrome.exe has a not listed reputation, then chrome.exe will be terminated under the not listed rule if or when it tries to scrape memory even if the reputation has been upgraded to a whitelist reputation

Resolution

  • The process must be stopped and started or restarted in order for the applicable policy to take effect
  • In the above example, once the chrome.exe process has been stopped/started again, the terminate not listed for scrape memory rule will no longer apply to the process since upgraded whitelist reputation has now been taken into account

Additional Notes

  • If a terminate rule for tries to run or is running does not apply to that specific file path or reputation, then the process will continue to run without issue unless or until it attempts the specific operation, i.e. scrape memory, communicates over the network, etc..., associated with the terminate action.
  • Example:
  1. Customer has a terminate not listed for scrape memory 
  2. Chrome.exe pid=1150 starts 
  3. Sensor gets a not listed reputation
  4. Reputation is upgraded to company white
  5. Chrome.exe pid=1150 continues to run for several days
  6. Chrome.exe pid=1150 tries to scrape memory and is then terminated 
  7. Stop/start Chrome.exe and the terminate not listed for scrape memory rule will no longer apply

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎03-14-2019
Views:
1504
Contributors