Enterprise EDR: PowerShell Blocked for Executing Fileless Script in Enterprise EDR-only Environment
search cancel

Enterprise EDR: PowerShell Blocked for Executing Fileless Script in Enterprise EDR-only Environment

book

Article ID: 289829

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Alerts are reported, similar to:
    The application powershell.exe attempted to execute fileless content in order to evade inspection. A Deny policy action was applied.
  • Endpoint Standard is not enabled for the environment.

Environment

  • Enterprise EDR Console: All Versions
  • Carbon Black Cloud Sensor: 3.8.0.535
  • Microsoft Windows: All Supported Versions

Cause

A defect in the 3.8.0.535 Sensor caused the script to be blocked by a Tamper Protection rule in Enterprise EDR-only Orgs for attempting to disable AMSI via script.

Resolution

  • This issue was investigated by engineering under EA-21466 and resolved with the release of the 3.8.0.722 Sensor.
  • To remediate, upgrade Sensors on impacted machines to 3.8.0.722 or higher.