EDR: Interoperability Between CbEDRAMSI.dll Module and Windows Device Guard
search cancel

EDR: Interoperability Between CbEDRAMSI.dll Module and Windows Device Guard

book

Article ID: 284726

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Windows Security Event log show an error similar to:
  
Event ID:      5038

Description:
Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.


OR

Event ID:      3004

Description:
Windows is unable to verify the image integrity of the file because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Environment

  • EDR Server: All Supported Versions
  • EDR Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

Issue is caused by an interop issue due to Windows code integrity enforcement policy.
 

Resolution

As this is an expected behavior which is not breaking any kind of functionality, there is nothing to fix on the EDR sensor as it is happening due to Windows code integrity enforcement.
 
Powered by Wolken Software