Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Sudden Blue Screens on Windows Devices (23rd August 2022)

Endpoint Standard: Sudden Blue Screens on Windows Devices (23rd August 2022)

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.7.0.1253
  • Microsoft Windows: All Support Versions

Symptoms

  • Device goes to Blue Screen on boot
  • Stop code may show "PFN_LIST_CORRUPT"

Cause

Updated Threat Research rulesets were rolled out to Prod01, Prod02, ProdEU (aka Prod06), ProdSYD, and ProdNRT after internal testing showed no signs of issues

Resolution

VMware Carbon Black has rolled back the rulesets, and as machines check in they will get the updated ruleset and auto-resolve. Please watch this KB for updates.

Temporary Workaround
  • Place impacted Sensors into Bypass mode via Carbon Black Cloud Console to allow them to boot successfully and have ruleset removed
  • A small subset of impacted devices may require an additional workaround requiring a reboot into Safe Mode, if so, please open a Support case as called out below

Additional Notes

  • If you are having an issue with this please Open A Support Case so we may help resolve this. Please include the following in the Case to help
    Org_Key: 
    Device Name(s): 
    Device ID(s): 
    Operating System(s):
  • If a device is not encountering a BSOD or boot-loop, the following can be used to verify the endpoint has received the corrected ruleset and no longer has the older ruleset
    C:\> "C:\Program Files\Confer\repcli.exe" status | findstr /i manifest
    • Reverted Rulesets (note Revision number)
      Ransomware Detection Revision[18]: Enabled (Manifest)
      Ransomware Prevention Revision[14]: Enabled (Manifest)
      Carbon Black Threat Intelligence Detection Revision[28]: Enabled (Manifest)
      Carbon Black Threat Intelligence Prevention Revision[14]: Enabled (Manifest)
    • Impacted Rulesets (note Revision number)
      Ransomware Detection Revision[27]: Enabled (Manifest)
      Ransomware Prevention Revision[16]: Enabled (Manifest)
      Carbon Black Threat Intelligence Detection Revision[35]: Enabled (Manifest)
      Carbon Black Threat Intelligence Prevention Revision[18]: Enabled (Manifest)
      Carbon Black Persistence Prevention Revision[2]: Enabled (Manifest)
      Carbon Black Persistence Detection Revision[3]: Enabled (Manifest)
    • Recent Last Manifest Content Update Time
      Last Manifest Content Update Time[MM/dd/yyyy hh:mm:ss]

Related Content


Was this article helpful? Yes No
100% helpful (5/5)
Article Information
Author:
Creation Date:
‎08-23-2022
Views:
12005
Contributors