App Control: Powershell Blocks Due To wsmprovhost.exe, Despite Custom Rules In Place To Allow Execution
search cancel

App Control: Powershell Blocks Due To wsmprovhost.exe, Despite Custom Rules In Place To Allow Execution

book

Article ID: 287282

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Wsmprovhost.exe blocking powershell.exe from executing, despite custom rules in place to allow powershell.exe executions

Environment

  • App Control Server: 8.6.0 and HIgher
  • App Control Agent: 8.6.0
  • Microsoft Windows: All Supported Versions

Cause

  • As an optimization a rule is added to add a classification to a process at create time for each unique process pattern from the rules that it matches. When evaluating the rules, logical bit operations are used rather than string comparisons.
  • If the process is referenced in a Kernel Process Exclusion and the PROCESS_CREATE and PROCESS_TERMINATE bits are set, the optimization rule is never evaluated because the create event is never passed to the rule engine.
  • If later there are operations for said process (say file or script execute) that aren't excluded by the Kernel Process Exclusion, then rules against those operations will never work because the process did not get classified.

Resolution

This is to be resolved in Windows Agent 8.8.0.

Additional Information

As a workaround, modify the Kernel Process Exclusion to remove the PROCESS_CREATE and PROCESS_TERMINATE bits:  
kernelProcessExclusions=*\wsmprovhost.exe:2082687
Powered by Wolken Software