logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Blocks on Rapid7 (ir_agent.exe) Attempting to Launch Process Explorer (procexp.sys)

Carbon Black Cloud: Blocks on Rapid7 (ir_agent.exe) Attempting to Launch Process Explorer (procexp.sys)

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.9.0 - 3.9.1
  • Microsoft Windows: All Supported Versions

Symptoms

  • Alerts are reported in the Console, similar to: 
    The application ir_agent.exe attempted to launch c:\windows\system32\drivers\procexp.sys which can be abused by malware to interfere with security products.
  • Block occurs despite Sensor enforcing Policy with Bypass permissions in place for Rapid7 Insight Agent application path.

Cause

A Sensor Tamper Protection rule is preventing the Process Explorer driver from being loaded by Insight Agent.

Resolution

  • This issue was tracked by engineering under EA-22835 and fixed in the 3.9.2 Sensor release with the resolution of DSEN-24075.
  • To remediate the issue, update impacted Sensors to 3.9.2.2698 or higher.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎07-24-2023
Views:
816
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.