logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: AMSI scriptload_hash show unusual SHA-256 value with extra zeros

Carbon Black Cloud: AMSI scriptload_hash show unusual SHA-256 value with extra zeros

Environment

  • Carbon Black Cloud: Enterprise Standard
  • Carbon Black Cloud Windows Sensor: 3.6.x - 3.8.0.398
  • Windows OS: All Supported Versions

Symptoms

SHA-256 hashes under the scriptload filter in the Investigate page have an unusual value format like: 16 character hash value + 32 zeros + repeat 16 character

Example: scriptload_hash:abcdefgh1234567800000000000000000000000000000000abcdefgh12345678

Cause

The sensor is failing to deduce/report the "on-disk" SHA-256 hash value of script files for AMSI_CONTENT_SCAN_EVENT events.

Resolution

This issue was resolved in defect UAV-2477 and the fix is included in Windows Sensor verisons 3.8.0.467 and higher. Upgrade sensors past this version and scriptload_hash values will get reported correctly to the console.

Additional Notes

  • Workaround: Search the investigate page for the file script filename and filter by filemod in the Investigate page to find the correct SHA-256 hash value. Then, add this hash to the ALLOW Reputation list to allow it to execute.

Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎07-20-2022
Views:
216
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.