Environment
- Carbon Black Cloud: Enterprise Standard
- Carbon Black Cloud Windows Sensor: 3.6.x - 3.8.0.398
- Windows OS: All Supported Versions
Symptoms
SHA-256 hashes under the scriptload filter in the Investigate page have an unusual value format like: 16 character hash value + 32 zeros + repeat 16 character
Example: scriptload_hash:abcdefgh1234567800000000000000000000000000000000abcdefgh12345678
Cause
The sensor is failing to deduce/report the "on-disk" SHA-256 hash value of script files for AMSI_CONTENT_SCAN_EVENT events.
Resolution
This issue was resolved in defect UAV-2477 and the fix is included in Windows Sensor verisons 3.8.0.467 and higher. Upgrade sensors past this version and scriptload_hash values will get reported correctly to the console.
Additional Notes
- Workaround: Search the investigate page for the file script filename and filter by filemod in the Investigate page to find the correct SHA-256 hash value. Then, add this hash to the ALLOW Reputation list to allow it to execute.