EDR Sensor: Unable to install updates via SCCM when "fileless script loads" event capture is enabled

EDR Sensor: Unable to install updates via SCCM when "fileless script loads" event capture is enabled

search cancel

EDR Sensor: Unable to install updates via SCCM when "fileless script loads" event capture is enabled

book

Article ID: 288433

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Unable to install updates or deploy new applications using SCCM when "fileless script loads" event capture is enabled
Powershell scripts getting terminated unexpectedly

Environment

EDR Sensor: 7.1.0 and 7.1.1

Cause

This issue was identified as a product bug:

#CB-33118 Null pointer dereference in AMSI.DLL AMSI extension that could lead to script failures for Powershell

Resolution

This issue is fixed in Windows Sensor version 7.2.0 release
As a workaround, disable 'Fileless script loads' in the 'Event Collection' section of the sensor group settings in the UI

Feedback

thumb_up Yes

thumb_down No