Event Log Message: Event ID 5038 Code integrity determined that the image hash of a file is not valid.
search cancel

Event Log Message: Event ID 5038 Code integrity determined that the image hash of a file is not valid.

book

Article ID: 289806

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Windows Security Event log show an error similar to: 
    Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:	\Device\HarddiskVolume3\Windows\System32\CbAMSI.dll
  • Potential failed logins with the error “The security log on this system is full. Only administrators can log on to fix the problem”

Environment

  • Carbon Black Cloud sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

This event is generated by Microsoft when processes running at Signing Level 11 + load CbAMSI.dll (or any other vendors AMSI .dll signed at signing level 8). This is outside the control of Carbon Black. Carbon Black has signed CbAMSI.dll as per Microsoft's directives.

Resolution

We have seen customers perform the following workarounds:

Configure "Maximum Log Size" and "Overwrite events as needed (oldest events first)"

  1. Open Event Viewer
  2. Expand Applications and Services Logs > Microsoft -> Windows -> CodeIntegrity -> Operational -> Right Click > Properties
  3. Set the maximum log value size to the desired value (1028 KB is the default)
  4. If desired, set the "Overwrite events as needed (oldest events first)" setting.

Disable the Code Integrity events

  1. Open Event Viewer
  2. Expand Applications and Services Logs > Microsoft -> Windows -> CodeIntegrity -> Operational -> Right Click > Disable Log

Additional Information

Powered by Wolken Software