This section describes hash banning in Carbon Black EDR.

A Carbon Black EDR investigation might reveal that known malware has been allowed to run on endpoints without being blocked. This could be because of a gap in updating your endpoint protection software or a more general gap in protection capabilities. Another possibility is that you receive notification of a threat not yet encountered on your endpoints, and you are not certain that you are fully protected against it.

While not intended to replace endpoint protection products, Carbon Black EDR provides a hash banning feature to prevent malware processes from running in the future. This feature will also terminate the process for a newly banned hash if it is running when the ban is created. You can use this feature to prevent further actions from a threat until your endpoint protection is able to do so.


The Carbon Black EDR banning feature identifies and bans processes based on their MD5 hash.

  • Hash banning does not ban shared libraries, such as DLLs, SYSs, CPLs, and OCXs. You can follow the steps to ban these files, but it will have no effect.

  • Banning does not use SHA-256 hashes, even if they are available.

  • If an endpoint is restarted, any banned process that runs on restart will terminate as soon as the Carbon Black EDR sensor begins to run.