Carbon Black Cloud: Processes crash due to CbAMSI
Article ID: 286414
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- Issue first appears in 3.6.0.2076, previous versions work
- Path to execution includes non-ASCII characters such as kanji
- Windows Application log shows a failure for MSACCESS.exe pointing to CbAMSI.dll as the failing module
- Failed application path: C:\Program Files\Microsoft Office\Root\Office*\MSACCESS.EXE
Failed module path: C:\WINDOWS\system32\CbAMSI.dll
- Failed application path: C:\Program Files\Microsoft Office\Root\Office*\MSACCESS.EXE
Environment
- Carbon Black Cloud Sensor: 3.6.0.2076
- Endpoint Standard
- ThreatHunter
- Microsoft Windows: All Supported Versions
- Non-ASCII character file paths
Cause
This is due to a known issue with non-ASCII characters in CbAMSI
Resolution
- This issue is fixed in 3.7.0.1253 and higher and referenced as UAV-2191 in release notes
Additional Information
- If upgrading to 3.7.0.1253 is not possible, workarounds are as follows
- Re-install a sensor version prior to 3.6.0.2076
- Update file path to not include non-ASCII characters
- Temporarily disable AMSI prevention functionality (contact Tech Support Team for further suggestions)
WARNING: Disabling AMSI will have a negative impact to the CBC's visibility as well as detection and prevention efficacy
- If issue persists, open a support ticket with Carbon Black including a crash dump which can be gathered via procdump configuration
Feedback
Yes
No
Powered by
