Knowledge Base

Yes

Environment

Carbon Black Cloud Sensor: 3.6.x - 3.8.0.627
Microsoft Windows: All Supported Versions

Cause

Seeing events similar to:

The application powershell_ise.exe attempted to execute fileless content in order to evade inspection. A Deny policy action was applied.

CMD:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -Command Help Set-ExecutionPolicy

Resolution

Upgrade to 3.8.0.722 or above

VMware Carbon Black Cloud Windows Sensor 3.8.0.722 Release Notes

DSEN-19179: Fixed an issue with PowerShell fileless script rules blocking the use of the “-executionpolicy” command line option

Knowledge Base

Carbon Black Cloud: Alerts for "The application powershell_ise.exe attempted to execute fileless content in order to evade inspection."

Carbon Black Cloud: Alerts for "The application powershell_ise.exe attempted to execute fileless content in order to evade inspection."

Environment

Cause

Resolution

Audit and Remediation

Carbon Black Cloud

Container

Endpoint Standard

Enterprise EDR

Managed Detection

Managed Detection and Response

Prevention

Workload

Knowledge Base

Carbon Black Cloud: Alerts for "The application powershell_ise.exe attempted to execute fileless content in order to evade inspection."

Carbon Black Cloud: Alerts for "The application powershell_ise.exe attempted to execute fileless content in order to evade inspection."

Environment

Cause

Resolution

Thank you for your feedback.

Thank you for your feedback.