Cb Defense: Unexpected WMI Block Events Found in Console
search cancel

Cb Defense: Unexpected WMI Block Events Found in Console

book

Article ID: 288928

calendar_today

Updated On: 07-26-2019

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Events in PSC Console show that WMI (Windows Management Instrumentation) executables are blocked from accessing a registry key 
    The application C:\Windows\System32\wbem\WmiPrvSE.exe attempted to modify the Windows Registry Key\Value Name = 
"\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\98113471A04147740B565CE52B278F1E\XXXXXXXXXXXXXXX". The operation was blocked by Cb Defense.
  • Windows Application Logs reflect unexpected install activity that results in a "newer or current version of Cb Defense Sensor is already installed" message 
    Event ID:  10005

Product: Cb Defense Sensor 64-bit -- A newer or current version of Cb Defense Sensor 64-bit is already installed. 
To install this version, uninstall the current version first.
  • Several Sensors may report these Events to the PSC Console

Environment

  • Cb Defense Sensor: All Versions
  • Cb Defense PSC Console: All Versions
  • Microsoft Windows: All Supported Versions

Cause

  • A previous version of the Sensor is mandated by policy or script through SCCM or another deployment tool
  • Cb Defense Sensor downgrade protection includes self protection of registry keys

Resolution

  1. Confirm attempted install activity in Windows Event Viewer Application logs
  2. Use the information in the Event Viewer logs to help determine cause of install attempt
  3. Check SCCM or other deployment tool for deployed scripts or policies and disable as needed

Additional Information

  • Event IDs 1033, 1040, 1042, 11708, and 10005 are all related
  • Event viewer logs may also show location of the previous version installer which will provide clues about origin
  • Source of logged events will be MsiInstaller
  • Event TTPs include POLICY_DENY and MODIFY_SENSOR 
  • The Block Events may not be formed into Alerts
  • If these events appear in the console, but the sensors were selected for upgrades and successful, the events are safe to dismiss. During the install process, the sensor can block SCCM from writing to the affected registry key, but then allows the generic Windows Installer Service to write to it, later in the process. 
Powered by Wolken Software