Environment
- Endpoint Standard (Formerly CB Defense) Sensor: 3.2.x.x - 3.5.x.x
- Microsoft Windows: All supported versions
Symptoms
- The Microsoft-signed file dnsapi.dll is terminated with an applied reputation of Known_Malware (Malware: TR/Patched.DNS.Gen)
- The file shows as known good in the Carbon Black Cloud and VT
- The file has been known good since 2018
- The terminations may be sporadic
Cause
This is related to a known issue with the timing of scanning temp files or file scanning during the write process
Resolution
Additional Notes
- Carbon Black does not recommend whitelisting dnsapi.dll because this is a common attack vector
- The files involved all have a reputation of Trusted White which is correctly applied and prevents terminations the majority of the time