Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 3.8.0.722 - 3.9.1.2691
- Microsoft Windows: All Supported Versions
Symptoms
Cause
- The application process is making a memory access request to lsass.exe at a more egregious level of permission than is considered safe or required, effectively requesting "full access" to the Local Security Authority process.
- In response, the Sensor denies the OpenProcess request by stripping excess access bits, though it does not block nor terminate the application process nor prevent it from executing.
- For the most part, applications are unaffected by this protection and only processes that rely on the inappropriate permissions will fail.
Resolution
- Upgrade to sensor version 3.9.2+.
- 3.9.2 resolves many false positives
- In 3.9.2 this rule has been removed from the built-in "Tamper" ruleset and is instead now part of the "Credential Theft" Core Prevention ruleset.
- If an exclusion is still needed, one can be added within the "Prevention" tab of the policy by navigating to Core Prevention > Credential Theft and clicking "Add Exclusion".
Additional Notes
Related Content