Knowledge Base

Yes

Environment

Enterprise EDR Console: All Versions
Carbon Black Cloud Sensor: 3.8.0.535
Microsoft Windows: All Supported Versions

Symptoms

Alerts are reported, similar to:

The application powershell.exe attempted to execute fileless content in order to evade inspection. A Deny policy action was applied.

Endpoint Standard is not enabled for the environment.

Cause

A defect in the 3.8.0.535 Sensor caused the script to be blocked by a Tamper Protection rule in Enterprise EDR-only Orgs for attempting to disable AMSI via script.

Resolution

This issue was investigated by engineering under EA-21466 and resolved with the release of the 3.8.0.722 Sensor.
To remediate, upgrade Sensors on impacted machines to 3.8.0.722 or higher.

Knowledge Base

Enterprise EDR: PowerShell Blocked for Executing Fileless Script in Enterprise EDR-only Environment

Enterprise EDR: PowerShell Blocked for Executing Fileless Script in Enterprise EDR-only Environment

Environment

Symptoms

Cause

Resolution

Related Content

Carbon Black Cloud

Enterprise EDR

Knowledge Base

Enterprise EDR: PowerShell Blocked for Executing Fileless Script in Enterprise EDR-only Environment

Enterprise EDR: PowerShell Blocked for Executing Fileless Script in Enterprise EDR-only Environment

Environment

Symptoms

Cause

Resolution

Related Content

Carbon Black Cloud

Enterprise EDR

Thank you for your feedback.

Thank you for your feedback.