Endpoint Standard: How To Triage Malware Attack if Suspected That Product Did Not Detect or Prevent
Carbon Black Cloud Console: All Versions
Endpoint Standard (formerly CB Defense)
Carbon Black Cloud Sensor: All Versions
Steps to take if a malware attack is observed taking place on endpoint(s) in the environment and it is believed that the associated malicious behavior should have been detected or prevented by VMware Carbon Black Cloud Endpoint Standard.
Additional Information which may also be helpful (if possible):
How many endpoints were affected?
Approximate date and time the incident took place
Is the ingress point known?
Did any user report suspicious behavior, if so, what did they observe?
Were the affected endpoints accessible from the internet by design or unintentionally?
If SMB shares were involved, were they password protected?
Were the sensors remediated after quarantine? If so, what steps were taken?
Support may assist in determining if Endpoint Standard failed to identify or stop an attack in the event that the appropriate policy rules were in place, but is not able to provide detection or prevention recommendations outside of a VMware Carbon Black product. Support is also unable to assist with complete analysis of a security incident, e.g. to identify exact source of an attack or to suggest full remediation steps (i.e. Incident Response)