Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Why was NSudo.exe blocked?

Carbon Black Cloud: Why was NSudo.exe blocked?


  • Carbon Black Cloud Sensor
  • NSudo Application


Why was NSudo.exe, with hash 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618, blocked?


Although nsudo.exe used to included as part of the VMware OS Optimization Tool. The use of nsudo.exe has now been deprecated.

Unfortunately, as of late, nsudo.exe has been leveraged by attackers, particularly as a privilege escalation tool, used sometimes to disable MS Defender, or to make unwanted system modifications, as described in the Threat Intelligence write-up below:

BATLOADER: The Evasive Downloader Malware

For this reason, the binary has been now categorized as potentially unwanted application (PUA), which, like suspect malware, should be blocked or terminated at execution.

Additional Notes

Although the tool does not become a threat until it is weaponized as described in the write-up, we recommend removing it from the machines as a precautionary step.

Related Content

Was this article helpful? Yes No
No ratings
Article Information
Creation Date: