When a process is blocked because of a Carbon Black EDR hash ban, that is an indication that some user or process attempted an unwanted activity. Even though the activity was blocked, you might want to investigate the attempt.

Carbon Black EDR reports an event each time a hash ban attempts to block a process, even if the block fails (for example because of an attempt to block a critical system or Carbon Black EDR process). The event appears on the Process Analysis page of the parent process. If a process was running at the time a ban was created and then terminated by the ban, a banner reports that fact on the Process Analysis page.

Blocking events can also trigger alerts and be included in the syslog output from Carbon Black EDR. See Enabling Alerts and Syslog Output for Banning Events.

To view all block events for a parent process, on the Process Analysis page for the parent process, search for blocked in the Type filter. See Process Search and Analysis.