CB Defense: Script files being blocked despite permission rules for script host
search cancel

CB Defense: Script files being blocked despite permission rules for script host

book

Article ID: 285125

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Script files are blocked, despite the script host being whitelisted and/or policy bypassed already

Environment

CB Defense Web Console: All Versions
CB Defense Sensor: All Versions

Cause

Affected scripts need to be bypassed in order to run

Resolution

Create an API Bypass Permission rule for the impacted script files, based on their path and name. 

Additional Information

  • For the purposes of execution, scripts are text files that are accessed in a read only manner that results in the execution of their contents by a separate program, the script host. Script hosts, such as python.exe, excel.exe, etc, often execute in a standalone mode without processing a script. When a script host accesses a script file, the CB sensor applies special handling to treat this as invocation of an executable file, despite the script being opened with read only permissions.
    • Using cscript as an example, when a .vbs script is run though cscript, cscript is executed and name/path rules are evaluated against cscript. When cscript loads the script, that 'execution' is tested against the rules applied to cscript, such as 'Deny Invokes Untrusted Process'. This results in deny events seen in the console. As part of evaluating the script, name replacement occurs and from then on, the path rules that apply will be based on the script name.
  • To see improvements made to the console details around the scripts and script hosts, please upvote the following feature request:¬†https://community.carbonblack.com/t5/Idea-Central/CB-Defense-Script-Host-Event-Details/idi-p/87522