Enterprise EDR

 View Only
  • 1.  Announcing Hash Banning for Enterprise EDR

    Posted Jun 28, 2021 08:00 PM

    Hash Banning for Enterprise EDR

    HashBanning is now available for Enterprise EDR on endpoints running the Windows 3.7+ sensor. Ban files by hash to block files from: being opened with execute access; starting a process from a file; or being loaded as modules, scripts, or drivers.


    Banning a Hash

    In order to ban a hash, users may do so on the Reputation page by manually entering the SHA256 hash, application name, and add comments (optional) as depicted in the screenshot below.

    Screen Shot 2021-06-28 at 7.20.00 AM.png

    Users also have the ability to ban a hash while in the console on the Alerts page, Investigate Page, or Process Analysis page. In order to do so, users must click on the process of interest, go to the associated process actions and select “Add to Banned List.’ A screenshot is provided below for an example on the Alerts Page.

    Screen Shot 2021-06-28 at 7.19.23 AM.png


    Removing a Banned Hash

    In order to remove a banned hash, users may do so from the Reputation Page, Investigate Page, Alerts Page, and Process analysis page by selecting a banned process and in the actions menu selecting “Remove from banned List.” A screen shot is provided below of how to do this on the Reputation Page.

    Screen Shot 2021-06-28 at 7.18.18 AM.png


    In Console Experience: Alerts

    Users new to hash banning will be able to see alerts regarding the banned hash if it runs and is terminated or tries to run and is denied. The alerts will resemble the following:

    • Alert severity of 4
    • Reason Field: “The application: X on the company banned list attempted to run. A [Deny or Terminate] Policy was applied”
    • TTPs: company_banned, policy_deny, policy_terminate
    • The alert details panel (shown below) applicable alerts will have a parent process "card" for details on the spawning process, and a banned process “card” which conveys details about the banned process.
    • Search: Users can search on the following fields on the alerts page:
      • sensor_action:DENY
      • sensor_action:TERMINATE
      • process_effective_reputation:COMPANY_BLACK_LIST
      • policy_deny
      • policy_terminate
      • company_banned
    • Filter: Users can filter on the following filters:
      • Effective Reputation: COMPANY_BLACK_LIST
      • Sensor Action: Terminate 
      • Sensor Action: Deny
      • Policy Status: Policy Applied

    A screenshot is provided below of the details panel for an Alert on the Alerts page.

    Screen Shot 2021-06-28 at 7.29.03 AM.png


    In Console Experience: Process Analysis

    The process analysis page will provide additional analysis on the process in question. When viewing the spawning process on the process analysis page, users can scroll down to the events view to see the terminated or denied process due to hash banning in the following way:

    • In the case that the process is terminated: User can filter for childproc and find the terminated process
    • In the case that the process is denied: User can filter for filemod and find the denied process


    In Console Experience: Investigate

    In order to find details on processes that are on the ban list, users may use the following search terms on the investigate page:

    • sensor_action:* 
    • sensor_action:DENY 
    • sensor_action:TERMINATE 
    • blocked_hash: [blocked sha256 hash]
    • blocked_name: [blocked hash name]
    • blocked_effective_reputation:COMPANY_BLACK_LIST
    • Free search should be supported for terms such as:
      • TERMINATE 
      • DENY 
      • BLOCK 
    • The following search terms will result in spawning process information
      • Process_hash: [spawning sha256 hash]
      • Process_name: [spawning hash name]
      • process_effective_reputation:COMPANY_BLACK_LIST


    In Console Experience: Reputation Page

    The Reputation page will serve to show users all banned hashes, who banned a given hash, allow users to add to banned list, and also remove hashes from the banned list.


    Client Side Notification

    When a hash is blocked or terminated on an endpoint, the endpoint will get a Carbon Black Cloud alert signifying if a hash is terminated or blocked which resembles the following:

    Screen Shot 2021-06-28 at 7.15.40 AM.png


    Policy Modification

    Enterprise EDR users will have a default policy for hash banning to terminate or deny a hash on the banned list if it runs or is running which cannot be modified.


  • 2.  RE: Announcing Hash Banning for Enterprise EDR

    Broadcom Employee
    Posted Jul 09, 2021 10:09 AM

    Hello community,

    In terms of the "default policy", where will this policy be displayed in the console?

    If a customer has ONLY EDR Threat Hunting, they would usually not have any policy section as far as I am aware, so where can they view the hash banning policy which will be applied?



  • 3.  RE: Announcing Hash Banning for Enterprise EDR

    Posted Jul 09, 2021 06:53 PM

    In the E-EDR experience, customers can navigate to Enforce > Policies and will see the following under the Prevention tab. E-EDR users will not be able to modify the policy.

    Screen Shot 2021-07-09 at 12.51.10 PM.png