Today, a blog was released that incorrectly asserts an architectural flaw in Cb Response that leaks customer data. In fact, this is an optional feature (turned off by default) to allow customers to share information with external sources for additional ability to detect threats.
Cloud-based, multi-scanners are one of the most popular threat analysis services that enterprise customers opt into. These multi-scanners allow security professionals to scan unknown or suspicious binaries with multiple AV products.
Cb Response has a feature that allows customers to send their unknown or suspicious binaries to these cloud-based multi-scanners (specifically VirusTotal) automatically. We allow customers to opt in to these services and inform them of the privacy risks associated with sharing. Our products are not dependent on these services.
So what did the DirectDefense researchers find? In Cb Response, there is an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis. This option can be enabled by a customer, on a per-sensor group basis. When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google.
Below, we show how a customer chooses to share data with VirusTotal in Cb Response:
Note that this feature is disabled by default. Also note the granularity of options on this page (hashes, full binaries, full event data). Underneath the hood, these options also include further granularity to only participate partially. In other words, these are not “all in” or “all out” options.
If the customer enables the second option (complete binaries with VirusTotal) Cb Response ensures that the customer understands the risks associated with uploading full binaries to a public multi-scanner service with an explicit warning:
(The full text of this warning can be read at the end of this article).
We appreciate the work of the security research community. However, it is important to note that Carbon Black was not informed about this issue by DirectDefense prior to publication of the blog to validate their findings. For example, the blog asserts that this is an architectural flaw in all Cb products. To the contrary, this is exclusively a Cb Response feature – not included in Cb Protection or Cb Defense. It is also not a foundational architectural flaw. It is a feature, off by default, with many options to ensure privacy, and a detailed warning before enabling.
Our customers, prospects, and partners are able to contact support at https://community.carbonblack.com or send email to firstname.lastname@example.org with any questions they have. We will happily use our strong relationship with VirusTotal to remove any sensitive data that was exposed via this feature.
Full text of sharing warning: