Carbon Black Cloud: AMSI scriptload_hash show unusual SHA-256 value with extra zeros
search cancel

Carbon Black Cloud: AMSI scriptload_hash show unusual SHA-256 value with extra zeros

book

Article ID: 289176

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

SHA-256 hashes under the scriptload filter in the Investigate page have an unusual value format like: 16 character hash value + 32 zeros + repeat 16 character

Example: scriptload_hash:abcdefgh1234567800000000000000000000000000000000abcdefgh12345678

Environment

  • Carbon Black Cloud: Enterprise Standard
  • Carbon Black Cloud Windows Sensor: 3.6.x - 3.8.0.398
  • Windows OS: All Supported Versions

Cause

The sensor is failing to deduce/report the "on-disk" SHA-256 hash value of script files for AMSI_CONTENT_SCAN_EVENT events.

Resolution

This issue was resolved in defect UAV-2477 and the fix is included in Windows Sensor verisons 3.8.0.467 and higher. Upgrade sensors past this version and scriptload_hash values will get reported correctly to the console.

Additional Information

  • Workaround: Search the investigate page for the file script filename and filter by filemod in the Investigate page to find the correct SHA-256 hash value. Then, add this hash to the ALLOW Reputation list to allow it to execute.
Powered by Wolken Software