Endpoint Standard: Termination of Microsoft-Signed DLL File Despite Trusted Whitelist

Endpoint Standard: Termination of Microsoft-Signed DLL File Despite Trusted Whitelist

Environment

  • Endpoint Standard (Formerly CB Defense) Sensor: 3.2.x.x - 3.5.x.x
  • Microsoft Windows: All supported versions

Symptoms

  • The Microsoft-signed file dnsapi.dll is terminated with an applied reputation of Known_Malware (Malware: TR/Patched.DNS.Gen)
  • The file shows as known good in the Carbon Black Cloud and VT
  • The file has been known good since 2018
  • The terminations may be sporadic

Cause

This is related to a known issue with the timing of scanning temp files or file scanning during the write process

Resolution

This issue has been investigated and the fix is included in the 3.6.0.1719 sensor release
(See release notes - https://community.carbonblack.com/t5/Carbon-Black-Cloud-Windows/tkb-p/release_notes_windows - under 'Fixed' DSEN-4580)

Additional Notes

  • Carbon Black does not recommend whitelisting dnsapi.dll because this is a common attack vector
  • The files involved all have a reputation of Trusted White which is correctly applied and prevents terminations the majority of the time

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-08-2020
Views:
528
Contributors