Cb Connect 2018 | Power of You | Register Now


DirectDefense Incorrectly Asserts Architectural Flaw in Cb Response

August 9, 2017 / Michael Viscuso

Today, a blog was released that incorrectly asserts an architectural flaw in Cb Response that leaks customer data. In fact, this is an optional feature (turned off by default) to allow customers to share information with external sources for additional ability to detect threats.

Cloud-based, multi-scanners are one of the most popular threat analysis services that enterprise customers opt into. These multi-scanners allow security professionals to scan unknown or suspicious binaries with multiple AV products.

Cb Response has a feature that allows customers to send their unknown or suspicious binaries to these cloud-based multi-scanners (specifically VirusTotal) automatically. We allow customers to opt in to these services and inform them of the privacy risks associated with sharing. Our products are not dependent on these services.  

So what did the DirectDefense researchers find? In Cb Response, there is an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis. This option can be enabled by a customer, on a per-sensor group basis. When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google.  

Below, we show how a customer chooses to share data with VirusTotal in Cb Response:

Note that this feature is disabled by default. Also note the granularity of options on this page (hashes, full binaries, full event data). Underneath the hood, these options also include further granularity to only participate partially. In other words, these are not “all in” or “all out” options.

If the customer enables the second option (complete binaries with VirusTotal) Cb Response ensures that the customer understands the risks associated with uploading full binaries to a public multi-scanner service with an explicit warning:

(The full text of this warning can be read at the end of this article).  

We appreciate the work of the security research community. However, it is important to note that Carbon Black was not informed about this issue by DirectDefense prior to publication of the blog to validate their findings.  For example, the blog asserts that this is an architectural flaw in all Cb products.  To the contrary, this is exclusively a Cb Response feature – not included in Cb Protection or Cb Defense.  It is also not a foundational architectural flaw.  It is a feature, off by default, with many options to ensure privacy, and a detailed warning before enabling.  

Our customers, prospects, and partners are able to contact support at https://community.carbonblack.com or send email to support@carbonblack.com with any questions they have. We will happily use our strong relationship with VirusTotal to remove any sensitive data that was exposed via this feature.

Full text of sharing warning:

By electing to enable the “Scan unknown binaries with VirusTotal” feature, your server will send unknown binaries to Carbon Black with your consent. By electing to enable the “Share binary hashes with VirusTotal” feature, your server will send binary hashes and other metadata to Carbon Black with your consent. Each binary and/or hash and file metadata, as the case may be, will be submitted to VirusTotal and governed solely by the Terms of Service and Privacy Policy of VirusTotal. Carbon Black shall not be responsible for this submission or for any act or omission by VirusTotal. You are hereby advised (i) VirusTotal makes the metadata publicly available along with scan results from dozens of anti-virus products and (ii) VirusTotal also makes the files available to VirusTotal partners. You must determine whether to elect to enable this feature at your sole discretion. A checked box designates you are “opting in” and thereby electing to share this information with Carbon Black and its Alliance partners in the manner described. All information is anonymized to the extent reasonably practicable before being shared with Alliance partners. The applicable terms and conditions are set forth in and subject to your Carbon Black License Agreement.

TAGS: Carbon Black / Cb Response / DirectDefense