Carbon Black Cloud: Blocks on Rapid7 (ir_agent.exe) Attempting to Launch Process Explorer (procexp.sys)
book
Article ID: 289536
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Alerts are reported in the Console, similar to:
The application ir_agent.exe attempted to launch c:\windows\system32\drivers\procexp.sys which can be abused by malware to interfere with security products.
Block occurs despite Sensor enforcing Policy with Bypass permissions in place for Rapid7 Insight Agent application path.
Environment
Carbon Black Cloud Console: All Versions
Carbon Black Cloud Sensor: 3.9.0 - 3.9.1
Microsoft Windows: All Supported Versions
Cause
A Sensor Tamper Protection rule is preventing the Process Explorer driver from being loaded by Insight Agent.
Resolution
This issue was tracked by engineering under EA-22835 and fixed in the 3.9.2 Sensor release with the resolution of DSEN-24075.
To remediate the issue, update impacted Sensors to 3.9.2.2698 or higher.