This section describes how to respond to endpoint incidents by isolating endpoints by using Live Response, and by banning process hashes.

When you discover a malicious file or process on your endpoint(s) using Carbon Black EDR, you can address the issue in a variety of ways. Carbon Black EDR provides the following methods for responding to threats directly from the console:

  • Endpoint Isolation – You can isolate an endpoint from the rest of the network, leaving only the connections that are needed for access to its sensor by the Carbon Black EDR server.

  • Live Response – Live Response opens a command interface for direct access to any connected host running the Carbon Black EDR sensor. Responders can perform remote live investigations, intervene in ongoing attacks, and instantly remediate endpoint threats.

  • Process Hash Banning – You can ban a process hash so that the process cannot be run again on hosts reporting to this Carbon Black EDR server, and any running version of it is terminated.

These features can be used together or separately. For example, you can isolate an endpoint immediately to prevent the spread of the problem and then use Live Response to end the process and perform any other file removal or needed repairs.

On the other hand, if the incident is not ongoing, isolation might not be necessary. In that case, you can use Live Response to remediate or further investigate the issue on affected endpoints, or simply ban the hash for the malicious process.

Carbon Black EDR does not present a message on the affected endpoint when any of these features is used on an affected sensor. With endpoint isolation, a user would likely become aware quickly that they had lost network access, but would not know why. With Live Response, actions you take on a computer might affect a user’s access to files or programs, but there would be no indication that Carbon Black EDR tools are responsible, unless you have chosen to make the user aware of that. Also, when there is an attempt to run a process that is banned by hash, the operating system might display a dialog indicating a lack of access, or the process might silently fail to run.

If you also have the Carbon Black App Control agent on your endpoints, you can use Carbon Black App Control control features to investigate incidents and modify rules to prevent future occurrences. See the VMware Carbon Black EDR Integration Guide for details.

Note:

To use the features described in this chapter, a user must be one of the following:

  • A user that has the enhanced Analyst permission for the feature and is a member of a team that has the Analyst role for the sensor group for the endpoint being acted upon (or for any sensor group to ban hashes).

  • For Carbon Black EDR installations, a Global Administrator.

  • For Carbon Black Hosted EDR installations, an Administrator.

See Managing User Accounts (Carbon Black EDR) or Managing User Accounts (Carbon Black Hosted EDR) for more information about user roles and privileges.