Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

PSC: How to re-enable services disabled by the sensor

PSC: How to re-enable services disabled by the sensor

Environment

  • CB Defense PSC Console: All Versions
  • CB Defense PSC Sensor: 3.5 and above
  • Microsoft Windows: All Supported Versions

Objective

How to re-enable services disabled by the sensor

Resolution

To re-enable the service, this must be done manually by using Live Response or other standard tools. The command for remediation through CB Live Response is:
  1. Query the service start type exec
    execfg sc.exe qc <servicename>
  2. Change the start type using the command: execfg sc.exe config 
    execfg sc.exe config <servicename> start=<starttype>
    NOTE: The possible start types are: boot | system | auto | demand | disabled | delayed-auto

Additional Notes

  • Live Response is enabled by default and can be disabled by a request to Support.
  • The event that is sent when the service is disabled contains the original start type and displays in the user interface. The user needs this data to return the start type to its original value. If the start type changes to boot, auto or delayed-auto, they must reboot.
  • Malicious services that run at start-up have the potential to execute and impact the endpoint before the sensor starts up.
  • If the sensor disables the malware service, the service(s) remain in disabled state across reboots, and therefore cannot execute at startup.
  • If a service binary in question was not malicious or if some other tool is used to clean the malware, then the sensor will not automatically enable the service again.
  • This feature only applies to files with a Known Malware reputation, so it is possible that files with Company Blacklist, Suspect/Heuristic Malware, Adware/PUP Malware reputation may execute on device boot-up if they are started before the sensor service
  • This feature will not take effect if prevention rule "Known malware Runs or is running" Deny\Terminate is not enabled on the device policy

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
1032
Contributors