Binary is not reporting correctly or unknown when reviewed from the OS. Showing the correct details can assist in tuning alerts such as "Suspicious On-Screen Keyboard Process" for Carbon Black EDR (CB Response).
Carbon Black EDR ( CB Response)
Review the outputs for the following CURL commands from the EDR server:
curl 'http://localhost:8080/solr/cbmodules/select?q=md5:<Md5Hash>&rows=5&indent=true' > md5_binary.txt
curl 'http://localhost:8080/solr/cbmodules/select?q=md5:D78B79745706256950D42EFFA5485627&rows=5&indent=true' > D78B79745706256950D42EFFA5485627_binary.txt
Binary information may have been removed from cbmodules core.
From VMware Carbon Black Support:
"Binary may have been removed from cbmodules core. If a sensor has already seen that hash of OSK.exe and has sent it or the server told it previously that it had it in cbmodules. it won't resend the binary information again because the internal cache on the sensor says the server already has it."
Please sign in to leave a comment.