logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Fileless Scriptload Cmdline Does Not Return Results

EDR: Fileless Scriptload Cmdline Does Not Return Results

Environment

  • EDR Server:  7.6.0

Symptoms

A Process Search built with Add search terms > Choose criteria > Fileless > Command line contents > [Insert text] does not return results.

Cause

EDR 7.6.0 did not add the double quotes when reading the search query.  The double quotes are needed internally for processing the query.

Resolution

Place double quotes around the text in the search query to obtain the expected results. 
For example modify the search query: 
      fileless_scriptload_cmdline:myscript
To:
      fileless_scriptload_cmdline:"myscript"
 
 

Additional Notes

  • This is a temporary workaround until the next release.
  • AMSI event capture is disabled by default.
  • The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process.
  • Only the fileless_script content that was not stored in a file on the file system when the context was executed is sent to the EDR server.

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎12-10-2021
Views:
509
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.