Enterprise EDR: PowerShell Blocked for Executing Fileless Script in Enterprise EDR-only Environment
book
Article ID: 289829
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Alerts are reported, similar to:
The application powershell.exe attempted to execute fileless content in order to evade inspection. A Deny policy action was applied.
Endpoint Standard is not enabled for the environment.
Environment
Enterprise EDR Console: All Versions
Carbon Black Cloud Sensor: 3.8.0.535
Microsoft Windows: All Supported Versions
Cause
A defect in the 3.8.0.535 Sensor caused the script to be blocked by a Tamper Protection rule in Enterprise EDR-only Orgs for attempting to disable AMSI via script.
Resolution
This issue was investigated by engineering under EA-21466 and resolved with the release of the 3.8.0.722 Sensor.
To remediate, upgrade Sensors on impacted machines to 3.8.0.722 or higher.