Carbon Black Cloud: AMSI scriptload_hash show unusual SHA-256 value with extra zeros
book
Article ID: 289176
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
SHA-256 hashes under the scriptload filter in the Investigate page have an unusual value format like: 16 character hash value + 32 zeros + repeat 16 character
Carbon Black Cloud Windows Sensor: 3.6.x - 3.8.0.398
Windows OS: All Supported Versions
Cause
The sensor is failing to deduce/report the "on-disk" SHA-256 hash value of script files for AMSI_CONTENT_SCAN_EVENT events.
Resolution
This issue was resolved in defect UAV-2477 and the fix is included in Windows Sensor verisons 3.8.0.467 and higher. Upgrade sensors past this version and scriptload_hash values will get reported correctly to the console.
Additional Information
Workaround: Search the investigate page for the file script filename and filter by filemod in the Investigate page to find the correct SHA-256 hash value. Then, add this hash to the ALLOW Reputation list to allow it to execute.