Perform the following procedure to ban a list of process hashes.
You might have a list of process hashes from Carbon Black EDR or another source that you want to ban. For example, a warning from a threat intelligence source might provide a list of malware hashes. You can ban these processes in bulk on the Manage Banned Hashes page, including processes that are not yet observed by sensors reporting to your Carbon Black EDR server.
Procedure
- On the navigation bar, click Banned Hashes.
- Click the Ban More Hashes button.
- In the MD5 hashes to ban field, enter the MD5 hashes for the processes to ban. Each hash must be on its own line.
- In the Notes field, provide information about why these hashes are being banned. You might also want to add names for each of the hashes, if available.
- After you have entered the hashes and notes, click Ban Hashes to display the Confirm Banned Hashes page.
Note: The page indicates whether the hash is already known to this
Carbon Black EDR server, and if so, how many instances of the process have been seen and on how many endpoints. This page also allows you to modify the notes before finalizing the ban.
- For more information about a known hash, click the down-arrow to the right of it.
- If you decide not to ban a hash, click the Trash can icon next to it.
- Click Ban to ban all listed hashes.
The bans are added to the list on the Manage Banned Hashes page and are enabled.
The Notes you entered appear next to each hash you included in this ban. By default, the list is arranged in alphanumeric order by MD5 hash.
See Manage Banned Hashes.