Why is the Carbon Black Protection Server showing as the source host of 'Malicious File Detected' event?
'Malicious File Detected' events are appearing in he Cb Protection Console with the Cb Protection Server name instead of the actual computer where the event happened.
This is by design. In case of “Malicious file detected”, the source of this event is the Bit9 SRS. For any new file, the endpoint will first report “New file found on network” and then the Cb Protection Server will insert this data to the file catalog. After that, the Cb Protection Server will perform an SRS lookup and the file catalog entry will be correlated with the SRS threat/trust data which might in-turn generate “Malicious file detected” event. In addition, in case this file is detected on multiple machines, only one “Malicious file detected” event will be generated.
The workaround is, you can create a custom alert (Console > Tools > Alerts > Add Alert).
a. Set an alert name.
b. Set Priority to "High"
c. Set Status to "Enabled"
d. Set Mail Template to "Template for Event"
e. Under "Select Event Properties", Ser Subtype is “Malicious File Detected" or “Potential Risk File Detected"
f. Add subscribers email address (Alert must be created first, before email recipients can be specified)
g. Save and Exit
When these alerts are triggered, they will generate “Alert triggered" event which will still be generated by the Cb Protection Server, but its message description will contain a summary:
“Computer(s) and user(s) affected:” listing top 5 endpoints and usernames that are associated with this malware hash.