Silicon Shecky

Infosec Practitioner

Connect

Reputation, what is it good for? (Absolutely Nothing)

By Leave a Comment

Reputation, something that should be taken (and usually is) seriously. It affects how we look at people and companies, what level of trust there is, and should we recommend said people/companies to others. In the world of NextGen AV and EDR reputation is suppose to work the same. This is not always the case, and can be very detrimental when it is not. When reputation levels are not proper inside of such software or security solutions you have situations where good software is blocked.

Let us start with a simple situation. You use a well known piece of software, say Commvault, which properly signs their software. CarbonBlack Protect, knows this software, and there is no issue with getting it whitelisted properly. This is not the case with CarbonBlack Defense. You would think that it would have the certificate already in the system (it doesn’t and there are other, more well known certificates that are not in there either), or at least have had the software in their back end as a known vector. Again, this is not the case as of this writing (again there is other software I have run into this issue with so it is not an isolated case). Easy enough to add the certificate into the system, but that does not make the software known at this point, it just adjusts the secret sauce scoring down, but does not guarantee that the software will not be blocked. Requesting an upload for every file that is run as part of the software would be a full time job for at least one person (if not multiple people) and that still does not mean that you will lose that unknown file tag. Even whitelisting the file itself (which can make for a huge database of exceptions to manage) does not guarantee the file will be allowed to do what it needs to do. The only way to guarantee is to put the path to the file(s) in a bypass mode of some sort. This will then prevent such things from being looked at or recorded, leaving blind spots on the system for malicious software/actors to hide in. This is an unacceptable risk, and really defeats the purpose of EDR software.

There are other issues with Unknown and Not Listed reputations that I have run into also. I have set certain policies up so that unknown software can do certain things, but surprisingly it gets blocked because the reputation in Not Listed, again even though it should be known software. The CarbonBlack Engineers have been working on this for over a month with no solution other than to put said software into a bypass type mode. Again, not a good solution.

I am lucky as I have been dealing with this on test machines before rolling out to the full company, and have heard of similar type issues with other NextGenAV and EDR products. The worst part is the response from the company, and length of time it is taking to track down such issues. This sort of issue should be a deal breaker for anyone who wants to use such software. AV is still an important and needed product on endpoints, and the shift to EDR software can be a good thing, but not when it leaves you blind. This is yet another reason why I feel EDR software is not quite ready for prime time, or in other words, the reputation I have of such software is diminishing rapidly.