Carbon Black Cloud: Blocks on Rapid7 (ir_agent.exe) Attempting to Launch Process Explorer (procexp.sys)
search cancel

Carbon Black Cloud: Blocks on Rapid7 (ir_agent.exe) Attempting to Launch Process Explorer (procexp.sys)

book

Article ID: 289536

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Alerts are reported in the Console, similar to: 
    The application ir_agent.exe attempted to launch c:\windows\system32\drivers\procexp.sys which can be abused by malware to interfere with security products.
  • Block occurs despite Sensor enforcing Policy with Bypass permissions in place for Rapid7 Insight Agent application path.

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.9.0 - 3.9.1
  • Microsoft Windows: All Supported Versions

Cause

A Sensor Tamper Protection rule is preventing the Process Explorer driver from being loaded by Insight Agent.

Resolution

  • This issue was tracked by engineering under EA-22835 and fixed in the 3.9.2 Sensor release with the resolution of DSEN-24075.
  • To remediate the issue, update impacted Sensors to 3.9.2.2698 or higher.
Powered by Wolken Software