logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Enterprise EDR: PowerShell Blocked for Executing Fileless Script in Enterprise EDR-only Environment

Enterprise EDR: PowerShell Blocked for Executing Fileless Script in Enterprise EDR-only Environment

Environment

  • Enterprise EDR Console: All Versions
  • Carbon Black Cloud Sensor: 3.8.0.535
  • Microsoft Windows: All Supported Versions

Symptoms

  • Alerts are reported, similar to: 
    The application powershell.exe attempted to execute fileless content in order to evade inspection. A Deny policy action was applied.
  • Endpoint Standard is not enabled for the environment.

Cause

A defect in the 3.8.0.535 Sensor caused the script to be blocked by a Tamper Protection rule in Enterprise EDR-only Orgs for attempting to disable AMSI via script.

Resolution

  • This issue was investigated by engineering under EA-21466 and resolved with the release of the 3.8.0.722 Sensor.
  • To remediate, upgrade Sensors on impacted machines to 3.8.0.722 or higher.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎05-22-2023
Views:
366
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.