logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Live Response 'execfg' Commands Error with 0x80070005

EDR: Live Response 'execfg' Commands Error with 0x80070005

Environment

  • EDR Server:  7.4+
  • EDR Windows Sensor:  7.2.0+
  • App Control Agent:  7.+

Symptoms

During a Live Response session 'execfg' commands result in 'Remote error HRESULT 0x80070005'.

Cause

Two possible causes:
  1. App Control is installed with a policy  "Carbon Black EDR Tamper Protection" Rapid config and EDR Tamper Protection is set to Protect.
  2. App Control is installed without a policy "Carbon Black EDR Tamper Protection" Rapid config and EDR Tamper Protection is set to Protect.

Resolution

  1. Disable the App Control "Carbon Black EDR Tamper Protection" Rapid config after Carbon Black EDR Tamper Protection enforcement is in place.
  2. If #1 solution does not work, then implement the App Control rule that ignores executes by process cb.exe on path c:\windows\carbonblack\cbmarshal.exe. 
    Rule Type: Execution Control
Execute Action: Allow
Path or file:
<windows>\carbonblack\cbmarshal.exe
Process:
<windows>\carbonblack\cb.exe
User or Group: Local System

Additional Notes

  • App Control "Carbon Black EDR Tamper Protection" Rapid config was necessary to protect EDR software prior to EDR's Tamper Protection release.

  • Enabling Tamper Protection on both App Control and Carbon Black EDR does not provide extra protection. We recommend that you disable the App Control "Carbon Black EDR Tamper Protection" Rapid config after Carbon Black EDR Tamper Protection enforcement is in place. 

  • Requirements for EDR Windows Tamper Protection:
    • Minimum OS Versions of Windows 10 v1703 (Desktop) or Windows Server v1709 (Windows build 15163)
    • Minimum Carbon Black EDR versions of v7.2.0 Windows EDR sensor and
    • v7.4.0 Carbon Black EDR Server
  • Any Windows sensor in a sensor group that has Tamper Protection applied and that does not meet the minimum OS requirements will default to Tamper Detection. VMware Carbon Black App Control Tamper Protection is recommended in these cases. We recommend that you update the tamper rule settings for Carbon Black App Control to the latest Carbon Black EDR Tamper Protection Rapid Config.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎05-26-2022
Views:
707
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.