Environment
- CB Defense PSC Console: All Versions
- CB Defense PSC Sensor: 3.5 and above
- Microsoft Windows: All Supported Versions
Question
Does the sensor disable device services?
Answer
Yes. Starting in Sensor version 3.5, a new feature has been added which will find all malicious services associated with Known Malware hashes and puts them in a disabled state.
Additional Notes
- Malicious services that run at start-up have the potential to execute and impact the endpoint before the sensor starts up.
- If the sensor disables the malware service, the service(s) remain in disabled state across reboots, and therefore cannot execute at startup.
- If a service binary in question was not malicious or if some other tool is used to clean the malware, then the sensor will not automatically enable the service again.
- This feature only applies to files with a Known Malware reputation, so it is possible that files with Company Blacklist, Suspect/Heuristic Malware, Adware/PUP Malware reputation may execute on device boot-up if they are started before the sensor service
- This feature will not take effect if prevention rule "Known malware Runs or is running" Deny\Terminate is not enabled on the device policy
Related Content
