Endpoint Standard: Why doesn't POLICY_DENY of KNOWN_MALWARE generate an Alert?
Carbon Black Cloud Console: All Versions
Endpoint Standard (formerly CB Defense) Sensor: All Versions
Microsoft Windows: All Supported Versions
Apple macOS: All Supported Versions
An Event in the Investigate Page of the CB Defense Web Console reports the following
The application C:\path\selectedapp.exe was prevented from accessing the file C:\path\targetapp.exe due to a Deny operation or Terminate process policy action.
TTPS: POLICY_DENY and the target application has a KNOWN_MALWARE, SUSPECT_MALWARE, PUP, or COMPANY_BLACK_LIST reputation
An Alert is not created for this event
If an application hash only attempts to do a generic READ access on the target malware then the sensor will block the action and log the event, but CB Defense will not form this event into an Alert.
Depending on the policy rules in place, Endpoint Standard will prevent any application from accessing a known malware, suspect malware, pup, or company black list file. This behavior is effectively considered a file quarantine or "quarantine-in-place". The read operation will be denied, logged, and provisionally included in any threat that may be created at that time if one or more of the minimum criteria is met:
Endpoint Standard Sensor first detects the malware on the local disk either from background scan or when the malware is initially created or dropped
Another application attempts to READ malware with the intention to EXECUTE or RUN the malware
The malware process was already running and the Endpoint Standard Sensor terminates the process
Event data is sent from the Sensor to the backend and analyzed to determine whether an AlertID should be assigned to the Event
If an AlertID is assigned, the Event will be categorized as either a Threat or Monitored Alert and shown on the Alerts page
The reason for this behavior is to reduce excessive or repetitious Alerts on read access of malware.
This could happen when backup software or disk indexing performs continuous READ operations of the malware file.
Even without the presence of such software, continuous read operations may occur every time the end user opens the file directory or path that contain the malware. This is especially true in cases where an environment is already inundated with newly downloaded or commodity malware which existed on these devices prior to the Endpoint Standard Sensor being installed.
If a notification on every deny event is required, please create a notification in the Carbon Black Cloud Console to notify when Policy action enforced: Deny
If notifications based for when Alert crosses a threshold (THREAT, MONITORED, Alert Priority) exist, duplicate notifications for the same event may be received if a policy action is also enforced.