Environment
- Endpoint Standard Sensor: 3.6
Symptoms
- Powershell executed script blocked with alert similar to:
- The application powershell.exe ran a script file.ps1 that attempted to execute known malware. This script performs highly suspicious process injection behavior. A Deny policy action was applied.
- Adding the SHA of the script to the Approved list does not fix anything
Cause
AMSI rules preventing the execution of the script
Resolution
- If not already done, add the script hash to Enforce > Reputation > Approved List
- Upgrade to sensor version 3.7
Additional Notes
- If issue continues, open a case with support and provide the following