Environment
- CB Defense PSC Console: All Versions
- CB Defense PSC Sensor: 3.5 and above
- Microsoft Windows: All Supported Versions
Objective
How to re-enable services disabled by the sensor
Resolution
To re-enable the service, this must be done manually by using Live Response or other standard tools. The command for remediation through CB Live Response is:
- Query the service start type exec
execfg sc.exe qc <servicename>
- Change the start type using the command: execfg sc.exe config
execfg sc.exe config <servicename> start=<starttype>
NOTE: The possible start types are: boot | system | auto | demand | disabled | delayed-auto
Additional Notes
- Live Response is enabled by default and can be disabled by a request to Support.
- The event that is sent when the service is disabled contains the original start type and displays in the user interface. The user needs this data to return the start type to its original value. If the start type changes to boot, auto or delayed-auto, they must reboot.
- Malicious services that run at start-up have the potential to execute and impact the endpoint before the sensor starts up.
- If the sensor disables the malware service, the service(s) remain in disabled state across reboots, and therefore cannot execute at startup.
- If a service binary in question was not malicious or if some other tool is used to clean the malware, then the sensor will not automatically enable the service again.
- This feature only applies to files with a Known Malware reputation, so it is possible that files with Company Blacklist, Suspect/Heuristic Malware, Adware/PUP Malware reputation may execute on device boot-up if they are started before the sensor service
- This feature will not take effect if prevention rule "Known malware Runs or is running" Deny\Terminate is not enabled on the device policy
Related Content