Why am I not being alerted for POLICY_DENY events on KNOWN_MALWARE reputations?
Carbon Black Cloud Endpoint Standard
If an application hash attempts to do a generic read access only on the targeted malware, the sensor will block the action and log this event but not generate an alert. The reason is to prevent an excess of alerts for read access on malware. See Endpoint Standard: Why doesn't POLICY_DENY of KNOWN_MALWARE generate an Alert? for additional information.
Note: Alerts can be enabled for all deny events by creating a notification with the policy action enforced type set to "Deny".
See Carbon Black Cloud: How to Add New Notifications for additional information on how to complete setup.
Please sign in to leave a comment.