App Control: Application blocks due to svchost.exe, despite custom rules in place to allow
search cancel

App Control: Application blocks due to svchost.exe, despite custom rules in place to allow

book

Article ID: 287262

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Svchost.exe blocking executable from executing, despite custom rules in place to allow executions.

Environment

  • App Control Server: 8.6.0 and Higher
  • App Control Agent: 8.6.0
  • Microsoft Windows: All Supported Versions

Cause

When svchost.exe creates a process, there is no process create notification. As a result, no process-create event fires. Another event is then received that basically looks like a file-execute event for the application but is running under the newly created process. This event does not have the correct process and the process that it does have has not been run through the rules and does not have classifications.

Resolution

This will be resolved in Windows Agent 8.7.0.

Additional Information

There is no workaround for this issue at this time.
Powered by Wolken Software