Endpoint Standard: DBA Tools Being Blocked
search cancel

Endpoint Standard: DBA Tools Being Blocked

book

Article ID: 286088

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Blocks with the DBA Tools application

Environment

  • Carbon Black Cloud Sensor: All Supported Versions
    • Endpoint Standard

Cause

  • Missing Approvals
  • DBA Tools Triggers Advanced Scripting Prevention Rapid Config

Resolution

For DBA Tools 1.0:
  1. Upgrade to sensor version 3.8.0.722 or Higher
  2. Ensure the DBA Tools Certificate is approved
    • Signer Name: dbatools
    • CA: DigiCert SHA2 Assured ID Code Signing CA
For DBA Tools 2.0:
  1. To import a single module: Create a wrapper script with full bypass to execute the ps1 involved in importing dbatools module (such as typealiases.ps1).
    1. Create a wrapper script, (Example: wrapper_dbatools.bat), which will invoke the ps1 being blocked. Example below. Note: Do not actually use c:\temp or the name below. The name and location should be customized.
      PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'c:\temp\test_dbatools.ps1'"
    2. Next, give this wrapper script a PERMISSION, to FULL BYPASS OPERATION
      *\temp\wrapper_dbatools.bat  --> Performs any Operation –> Bypass
    3. The script can be ran with a new instance of "cmd.exe" as follows:
      c:\temp>cmd /c wrapper_dbatools.bat
  2. If DBA Tools is needed in "interactive mode: have the wrapper script open a powershell prompt from which all subsequent commands will be allowed to run.
    • Example wrapper script content:
      start powershell.exe

Additional Information

  • The wrapper script (.bat examples shared above) should be kept confidential/internal information since it provides unrestricted Powershell access. Other security measures such as NTFS / file permissions may be implemented for additional control.
  • Additional approval mechanisms are being investigated for DBA Tools 2.0. This work is being tracked under EA-23215.