CB Defense: Script files being blocked despite permission rules for script host
book
Article ID: 285125
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Script files are blocked, despite the script host being whitelisted and/or policy bypassed already
Environment
CB Defense Web Console: All Versions CB Defense Sensor: All Versions
Cause
Affected scripts need to be bypassed in order to run
Resolution
Create an API Bypass Permission rule for the impacted script files, based on their path and name.
Additional Information
For the purposes of execution, scripts are text files that are accessed in a read only manner that results in the execution of their contents by a separate program, the script host. Script hosts, such as python.exe, excel.exe, etc, often execute in a standalone mode without processing a script. When a script host accesses a script file, the CB sensor applies special handling to treat this as invocation of an executable file, despite the script being opened with read only permissions.
Using cscript as an example, when a .vbs script is run though cscript, cscript is executed and name/path rules are evaluated against cscript. When cscript loads the script, that 'execution' is tested against the rules applied to cscript, such as 'Deny Invokes Untrusted Process'. This results in deny events seen in the console. As part of evaluating the script, name replacement occurs and from then on, the path rules that apply will be based on the script name.
To see improvements made to the console details around the scripts and script hosts, please upvote the following feature request: https://community.carbonblack.com/t5/Idea-Central/CB-Defense-Script-Host-Event-Details/idi-p/87522