Endpoint Standard: Deny/Terminate action taken on an Allowed Application
Environment
Carbon Black Cloud Console: All Supported Versions
Endpoint Standard Sensor: All Supported Versions
Microsoft Windows: All Supported Versions
Apple macOS: All Supported Versions
Symptoms
Deny/Terminate action taken on trusted white application
Application initially has a reputation other than trusted white i.e. UNKNOWN, NOT_LISTED, RESOLVING, ADAPTIVE, etc..
Application process started when reputation was not trusted white
Application process continued to run after reputation was upgraded to trusted white
Cause
Reputation changes will not result in a change to the applied policy for a currently running process.
For example, if a terminate not listed for scrape memory rule is in place and chrome.exe has a not listed reputation, then chrome.exe will be terminated under the not listed rule if or when it tries to scrape memory even if the reputation has been upgraded to a whitelist reputation
Resolution
The process must be stopped and started or restarted in order for the applicable policy to take effect
In the above example, once the chrome.exe process has been stopped/started again, the terminate not listed for scrape memory rule will no longer apply to the process since upgraded whitelist reputation has now been taken into account
Additional Notes
If a terminate rule for tries to run or is running does not apply to that specific file path or reputation, then the process will continue to run without issue unless or until it attempts the specific operation, i.e. scrape memory, communicates over the network, etc..., associated with the terminate action.
Example:
Customer has a terminate not listed for scrape memory
Chrome.exe pid=1150 starts
Sensor gets a not listed reputation
Reputation is upgraded to company white
Chrome.exe pid=1150 continues to run for several days
Chrome.exe pid=1150 tries to scrape memory and is then terminated
Stop/start Chrome.exe and the terminate not listed for scrape memory rule will no longer apply
