DirectDefense president Jim Broome claimed that his staff had been able to harvest data from several Cb Response customers thanks to the fact that files uploaded by Cb Response customers had been forwarded to a cloud-based multiscanner.
Broome has since gone on to clarify that his firm “strongly believes” in cloud-based multiscanners, he said they operate as for-profit businesses that spread files to “anyone who wants them and is willing to pay”.
He added that the problem was not isolated to CarbonBlack.
“Additionally, it is imminently likely that there are other EDR sources and products to exploit (perhaps even other keys being used by Carbon Black’s solutions and even other vendors)”, he wrote. “Over the last couple of years, there have been over 50 EDR companies launched, and likely, some of them may follow the same inspection model as Carbon Black.”
However, Carbon Black co-founder and CTO Michael Viscuso said that using a cloud-based multiscanner is an optional feature in Cb Response that is turned off by default. The feature allows customers to share information with external sources for additional ability to detect threats.
“Cloud-based multiscanners are one of the most popular threat-analysis services that enterprise customers opt into. These multiscanners allow security professionals to scan unknown or suspicious binaries with multiple AV products,” Viscuso wrote.
“Cb Response has a feature that allows customers to send their unknown or suspicious binaries to these cloud-based multiscanners (specifically VirusTotal) automatically. We allow customers to opt into these services and inform them of the privacy risks associated with sharing. Our products are not dependent on these services.”