Issue
Binary is not reporting correctly or unknown when reviewed from the OS. Showing the correct details can assist in tuning alerts such as "Suspicious On-Screen Keyboard Process" for Carbon Black EDR (CB Response).
Environment
Carbon Black EDR ( CB Response)
Resolution
Review the outputs for the following CURL commands from the EDR server:
curl 'http://localhost:8080/solr/cbmodules/select?q=md5:<Md5Hash>&rows=5&indent=true' > md5_binary.txt
Example:
curl 'http://localhost:8080/solr/cbmodules/select?q=md5:D78B79745706256950D42EFFA5485627&rows=5&indent=true' > D78B79745706256950D42EFFA5485627_binary.txt
Cause
Binary information may have been removed from cbmodules core.
From VMware Carbon Black Support:
"Binary may have been removed from cbmodules core. If a sensor has already seen that hash of OSK.exe and has sent it or the server told it previously that it had it in cbmodules. it won't resend the binary information again because the internal cache on the sensor says the server already has it."
Comments
0 comments
Please sign in to leave a comment.