App Control Agent: File downloaded using powershell.exe was locally approved by the agent
search cancel

App Control Agent: File downloaded using powershell.exe was locally approved by the agent

book

Article ID: 288453

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • User is able to download and execute unapproved file using powershell.exe
  • File downloaded using powershell.exe process was locally approved by the agent without any intervention

Environment

  • App Control Agent: All supported versions

Cause

This can happen if powershell.exe is marked as an Installer using Trusted Directory approval mechanism or has been setup to be treated as an installer using Execution Control custom rule to allow and promote "powershell.exe"

Resolution

Re-evaluate approval configuration for powershell.exe as per business requirement to prevent any further files from being automatically approved that should not be.
Powered by Wolken Software