Carbon Black Cloud: How do I determine which Ransomware Alerts are False Positives?

Carbon Black Cloud: How do I determine which Ransomware Alerts are False Positives?

Environment

  • Carbon Black Cloud Console - All Versions
  • Endpoint Standard Sensorr: 3.0.x.x and Higher

Symptoms

  • Priority 8 Alert - The [application name] attempted to access the raw disk on the device. TTPs: "kernel_access" and "set_system_file"
    FP_KernelAcess_SetSystemFile
  • Priority 8 Alert - The [application name] attempted to modify a user data file. TTPs: "access_data_files" and "data_to_encryption"
    FP_AccessDataFiles_DataToEncryption

Cause

  • The first type of alert will be generated for all applications attempting to access the raw disk. Not just Outlook. Carbon Black made some improvements to sensor version 3.1 to which would help mitigate the first type of false positive, however, even with these improvements it is still possible that this false positive may occur. This KB will be updated with the sensor release that will contain the complete fix for this issue once it has been confirmed.
  • However, the second issue has not yet been fixed. In sensor version 3.0.1, the product was reporting on any access to these decoy files on systems irrespective of application reputation or policy, so we created a fix in sensor version 3.0.2.2 to significantly reduced the sensitivity of canary modification detection. See Cb Defense Windows Sensor 3.0.2 Release Notes.pdf. However, even with this fix, we observed that false positives of this type are still occurring to a lesser degree. We are currently investigating a way to refine the sensitivity of canary file detection even further. This KB will be updated with the sensor release that will contain this fix once it has been confirmed.

Resolution

There is no resolution to this issue currently, but dismissing these Alerts will reduce noise generated in the interim.

If you suspect that there are other ransomware false positives outside of the two which have been described in this article, please create a support case with the Alert ID (formerly called Incident ID).

Additional Notes

User data files are decoy files that are owned by the sensor and which are hidden throughout the filesystem. These files are designed to be interesting to ransomware and are encrypted early in a ransomware attack. To determine if the alert was caused by a canary file use this process

Since these false positives are generated because of the Enhanced Ransomware Detection available in Sensor version 3.0.x.x and higher, both of the aforementioned false positives will occur regardless of application reputation or policy. While we are working to provide a resolution to these issues, there are two things you can do to filter out these false positives from your Alert view.

  • When using the alerts page use the search query: NOT (KERNEL_ACCESS OR SET_SYSTEM_FILE OR DATA_TO_ENCRYPTION OR ACCESS_DATA_FILES)
  • Dismiss alerts for trusted applications and select the checkbox, ‘Apply for future instances’. Please ensure that the 'Group Alerts' option is turned on otherwise the 'Apply for future instances' option does not take effect.

Related Content


Was this article helpful? Yes No
67% helpful (2/3)
Article Information
Author:
Creation Date:
‎12-05-2017
Views:
6629