App Control: Powershell Blocks Due To wsmprovhost.exe, Despite Custom Rules In Place To Allow Execution
book
Article ID: 287282
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Wsmprovhost.exe blocking powershell.exe from executing, despite custom rules in place to allow powershell.exe executions
Environment
App Control Server: 8.6.0 and HIgher
App Control Agent: 8.6.0
Microsoft Windows: All Supported Versions
Cause
As an optimization a rule is added to add a classification to a process at create time for each unique process pattern from the rules that it matches. When evaluating the rules, logical bit operations are used rather than string comparisons.
If the process is referenced in a Kernel Process Exclusion and the PROCESS_CREATE and PROCESS_TERMINATE bits are set, the optimization rule is never evaluated because the create event is never passed to the rule engine.
If later there are operations for said process (say file or script execute) that aren't excluded by the Kernel Process Exclusion, then rules against those operations will never work because the process did not get classified.
Resolution
This is to be resolved in Windows Agent 8.8.0.
Additional Information
As a workaround, modify the Kernel Process Exclusion to remove the PROCESS_CREATE and PROCESS_TERMINATE bits: