logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Endpoint Standard: Termination of Microsoft-Signed DLL File Despite Trusted Whitelist

Endpoint Standard: Termination of Microsoft-Signed DLL File Despite Trusted Whitelist

Environment

  • Endpoint Standard (Formerly CB Defense) Sensor: 3.2.x.x - 3.5.x.x
  • Microsoft Windows: All supported versions

Symptoms

  • The Microsoft-signed file dnsapi.dll is terminated with an applied reputation of Known_Malware (Malware: TR/Patched.DNS.Gen)
  • The file shows as known good in the Carbon Black Cloud and VT
  • The file has been known good since 2018
  • The terminations may be sporadic

Cause

This is related to a known issue with the timing of scanning temp files or file scanning during the write process

Resolution

This issue has been investigated and the fix is included in the 3.6.0.1719 sensor release
(See release notes - https://community.carbonblack.com/t5/Carbon-Black-Cloud-Windows/tkb-p/release_notes_windows - under 'Fixed' DSEN-4580)

Additional Notes

  • Carbon Black does not recommend whitelisting dnsapi.dll because this is a common attack vector
  • The files involved all have a reputation of Trusted White which is correctly applied and prevents terminations the majority of the time

Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-08-2020
Views:
1269
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.