logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Sensor Performance & Networking Issues When 'Svchost.exe mitigation' Option is Enabled in Microsoft Security Baseline Group Policy

Carbon Black Cloud: Sensor Performance & Networking Issues When 'Svchost.exe mitigation' Option is Enabled in Microsoft Security Baseline Group Policy

Environment

Carbon Black Cloud (formerly PSC) Sensor: 3.5+
  • Endpoint Standard (Formerly CB Defense)
  • Enterprise EDR (Formerly CB ThreatHunter)
Windows 10 v1903+ (Windows 10 1903+ and Windows Server Security Baselines)

Symptoms

  • Long boot times
  • Applications with Network connection issues
  • Applications delayed opening
  • High/Pegged CPU (by Service Host: Windows Management Instrumentation)
  • Sensor Bypass does not resolve the issue

Cause

  • The Microsoft 'Enable svchost.exe mitigation options' policy in Windows 10 1903+ and Windows Server security baselines prevents the cbAMSI.dll from loading
  • cbAMSI.dll meets all Microsoft AMSI provider signing requirements, but will still fail to load if this Microsoft Security Policy is enabled. 

Resolution

Disable the 'Enable Svchost.exe mitigation options' Security Settings policy in the GPO Settings >
  • System\Service Control Manager Settings\Security Settings - 'Enable Svchost.exe mitigation options'

Additional Notes

To change the setting (other than inspecting the GPO setting), this can be performed via the registry...
(NOTE: If this setting is changed directly(disabled), it will revert(enabled) after reboot, once the GPO settings are applied, and any applications not already loaded prior to receiving the GPO, may continue to fail). Maintaining persistence is achieved via GPO, unless a GPO for this setting does not exist...

Open Windows Registry Editor (As Admin) - Click start > run, type regedit
  1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig
  2. Verify if the following 'enabled' value exists 'EnableSvchostMitigationPolicy'=dword:00000001
  3. Change the dword value from 1 to 0, to disable
  4. Reboot to apply & persist setting (Unless GPO is in place)

From MS articles listed below:

"Important - Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software)."

"The first and most important change is that we are removing the Computer Configuration setting, “Enable svchost.exe mitigation options” (in System\Service Control Manager Settings\Security Settings) from the Windows 10 and Windows Server baselines at this time because of reports that in its current implementation it causes more compatibility issues than we had anticipated."

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
CB_Support
Creation Date:
‎03-19-2021
Views:
1727
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.