logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Endpoint Standard: How to Triage a Suspected Missed Malware Incident

Endpoint Standard: How to Triage a Suspected Missed Malware Incident

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (formerly CB Defense)
  • Carbon Black Cloud Sensor: All Versions

Objective

Steps to take if a malware attack is observed taking place on endpoint(s) in the environment and it is believed that the associated malicious behavior should have been detected or prevented by VMware Carbon Black Cloud Endpoint Standard. 

Resolution

  1. Place the sensor in quarantine: Carbon Black Cloud: How to Quarantine a Device from the Carbon Black Cloud Console?
  2. Collect sensor logs
Windows
macOS
Linux

If an affected device is wiped or re-imaged after logs are collected, it might not be possible to continue investigating the issue in case multiple iterations of diagnostic data are needed.
 
  1. Check Security Advisories and Threat Research content to see if it’s a known type of attack; If so, check that the right measures to prevent were in place. If yes, please go to step 4.
  2. Open a Support Case with the following information
    1. Sensor logs collected in step 2
    2. Hostname(s) of affected device(s)
    3. The policy and policy rule(s) in place which were expected to block the attack
    4. Any notable Alert IDs or Event IDs
    5. Any known IOCs, malware hashes or ransomware extensions; See How To Provide A Malware Sample To Carbon Black Support if able to upload a sample of the malware
Additional Information which may also be helpful (if possible):
  1. How many endpoints were affected?
  2. Approximate date and time the incident took place
  3. Is the ingress point known? 
  4. Did any user report suspicious behavior, if so, what did they observe?
  5. Were the affected endpoints accessible from the internet by design or unintentionally? 
  6. If SMB shares were involved, were they password protected? 
  7. Were the sensors remediated after quarantine? If so, what steps were taken?

Additional Notes

  • Support may assist in determining if Endpoint Standard failed to identify or stop an attack in the event that the appropriate policy rules were in place, but is not able to provide detection or prevention recommendations outside of a VMware Carbon Black product. Support is also unable to assist with complete analysis of a security incident, e.g. to identify exact source of an attack or to suggest full remediation steps (i.e. Incident Response)
  • VMware Carbon Black has many partners that can be contacted in case IR assistance is needed: Incident Response and Managed Security Service Providers - VMware
  • Users needing help during an IR investigation can also post in Threat Research to discuss with other UeX users in addition to searching the space for analysis and recommendations on known attack types

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎03-23-2021
Views:
2295
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.