Endpoint Standard: Policy Deny on process that can't execute out of alternative data stream
book
Article ID: 285551
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Policy Applied blocks on processes that attempt to execute content from an alternate data stream. Example would be:
The application <process path> attempted to execute content from an alternate data stream <target executable content>. A Deny policy action was applied.
Environment
Endpoint Standard Sensor: 3.6.0 and higher
Microsoft Windows: All Supported Versions
Cause
There is a new feature in the 3.6.0 sensor and higher, that enforces a rule where all forms of execution with an NTFS Alternate Data Stream.
Resolution
In order to prevent legitimate applications from getting blocked by this DRE rule, you would need to add the target hash of the content being blocked, to the allowed list of hashes for your organization.
Additional Information
Executing content out of an Alternate Data Stream is a tactic often used by malicious actors, but there may be a few legitimate applications that use this tactic as well.
This blocking feature is limited to active Endpoint Standard sensors. If you've determined that the execution is legitimate, you can add the hash of the blocked content in the ADS of the Company Approved list. Please note that other forms of approved reputation such as Common Approved will still not be allowed to load from within the ADS to limit exposure to live off the land binaries running out of ADS's.