By default, file bans stop future attempts to execute a file but do not terminate processes that are already running on an agent-managed system.
This means that files that are allowed to run but are later determined to be malicious continue to run unless they are terminated for some reason other than an Carbon Black App Control rule, or if the system restarts. This is especially likely in Low and Medium Enforcement policies, where files not explicitly banned are allowed to run.
You can configure policies so that computers in those policies stop currently running software when they receive a rule that bans it. This capability provides better control over software in your environment. It must be used carefully to avoid interrupting important processes or preventing a computer from running at all. When enabled for a policy, process termination applies to all banned files. Newly created policies are configured to report processes that would have been terminated by a ban, but not to actually terminate them.
- Termination of processes with banned images is supported on Windows agents only.
- You can also delete files on endpoints using Carbon Black App Control Console commands. See Deleting Files.
Any ban, whether on a system that terminates banned processes or one that does not, can disrupt a user's system or cause other dependent applications to fail. On the other hand, allowing bans to terminate running processes provides immediate feedback on the results of the ban. They also make it possible to terminate legitimate processes infected with malware and allow them to restart without the infection. The following are some examples of the potential impact of enabling process termination:
- Discrete Single Application
- Ban skype.exe. On systems affected by the ban, all running instances of Skype are abruptly terminated and any attempt by users to restart Skype is blocked.
- Windows Explorer Extension
- Ban a file called malware.dll, which is registered as a Windows Explorer extension and is present in all running instances of Explorer. On systems affected by the ban, all instances of Explorer are terminated and then the Explorer is automatically restarted by Windows. On restart, the banned file malware.dll is blocked while Explorer continues to load and run, so the ban prevented the unwanted process from running without blocking the critical Explorer process. Without the terminate process setting, the unwanted process would continue to be running in every active Explorer, even after it was banned.
- Dynamically Loaded DLL
- Ban wsock32.dll. Also assume that wsock32.dll is dynamically loaded by the application xyz.exe when it needs to perform certain network operations and then unloaded when the operation is complete. On systems affected by the ban, if the file wsock32.dll is banned while unloaded, it is blocked the next time it is loaded by xyz.exe, likely causing the operation to fail. If the ban takes effect when the file is loaded, the process xyz.exe is terminated.
- Shared Service
- Ban malware.dll, which is installed as a network service and shares an instance of svchost with other running services. When the file is banned, the instance of svchost is terminated together with all services in the same process.
- Injection in Critical Process
- Ban malware.dll, which is injected into csrss.exe, a critical system process. On systems affected by the ban, csrss.exe is terminated. Windows detects the termination of critical system processes and immediately shuts down. If the csrss.exe is reloaded again on startup, Carbon Black App Control prevents the image from being injected and allows the system to boot normally without malware being installed.
- Boot-time Driver
- Ban malware.sys, which is installed as a boot-time driver. If the driver loads before the Carbon Black App Control Agent does, it can continue to be executed and might not be stoppable without crashing the machine. Going to safe mode to remove the infection or restore to an earlier time may be the only remediation.
Keep these and other possible effects in mind when considering whether to enable process termination in a policy.
Enable or Disable Immediate Termination of Banned Processes
To enable or disable immediate termination of banned processes, perform the following procedure.