App Control: Powershell Blocks Due To wsmprovhost.exe, Despite Custom Rules In Place To Allow Execution
search cancel

App Control: Powershell Blocks Due To wsmprovhost.exe, Despite Custom Rules In Place To Allow Execution

book

Article ID: 287282

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Wsmprovhost.exe blocking powershell.exe from executing, despite custom rules in place to allow powershell.exe executions

Environment

  • App Control Server: 8.6.0 and HIgher
  • App Control Agent: 8.6.0
  • Microsoft Windows: All Supported Versions

Cause

  • As an optimization a rule is added to add a classification to a process at create time for each unique process pattern from the rules that it matches. When evaluating the rules, logical bit operations are used rather than string comparisons.
  • If the process is referenced in a Kernel Process Exclusion and the PROCESS_CREATE and PROCESS_TERMINATE bits are set, the optimization rule is never evaluated because the create event is never passed to the rule engine.
  • If later there are operations for said process (say file or script execute) that aren't excluded by the Kernel Process Exclusion,¬†then rules against those operations will never work because the process did not get classified.

Resolution

This is to be resolved in Windows Agent 8.8.0.

Additional Information

As a workaround, modify the Kernel Process Exclusion to remove the PROCESS_CREATE and PROCESS_TERMINATE bits: 
kernelProcessExclusions=*\wsmprovhost.exe:2082687