Environment
- Carbon Black Cloud Web Console: All Versions
- Carbon Black Sensor: All Versions
- Microsoft Windows: All Supported Versions
Question
Why are some Events / Alerts with a Known Malware / Banned reputation being allowed to run then terminated later?
Answer
- The CBC Sensor is run as a Service. When the services are started there may be malware that was started already and has taken actions. When the CBC Sensor is active it will prioritize Policy enforcement actions over timestamps for logging to terminate processes according to Policy as quickly as possible.
- This issue has been resolved in Sensor Version 3.5 with a new feature that will find all malicious services associated with Known Malware hashes and puts them in a disabled state.
Additional Notes
If this is seen in the Console, you can Search by the Hash on the Device to see what occurred and verify the Sensor is Terminating / Denying the process when able.
Signs in the CBC Console that malware started before the Sensor:
- The Events show Reputation values that should have been Terminated / Denied but there was no action logged for this
- If the first Event for an Alert ID is services.exe invoking a process with a Reputation that should be stopped by Policy settings but is not
- If the Events of Known Malware running all occur in the same second
If unsure, please open a Support case for assistance.
Related Content
