Terminated process alert with a TTP:Policy_Deny action for a file that was approved by certificate and/or had Trusted_Allow_List for the process and parent. 

Typically the sensor will delay execution at time of IRP_MJ_CREATE when it sees a file being opened for execute. However, that's not guaranteed to happen if ScanNetworkDriveExecute=false is set, or the sensor could have missed seeing the open prior to ctifile loading.

This was fixed in DSEN-11927, and affected Windows endpoints should upgrade to 3.6.0.2076 or Higher.