Enterprise EDR: Script Insights are unavailable for file backed PowerShell scripts
book
Article ID: 290323
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
When attempting to investigate a file backed PowerShell script by clicking the "Translate" button in the Investigation Page, you see the following:
- Not all data could be displayed
- Script Insights are greyed out
Environment
- Carbon Black Cloud Console: August 2020 Release and Higher
- Enterprise EDR (Formerly CB ThreatHunter)
- Carbon Black Cloud Windows Sensor: 3.6.x and Higher
Cause
A privacy centric approach was taken while introducing this feature. File backed PowerShell Scripts are not currently supported.
Resolution
A future enhancement to the feature will allow users to Opt-In and share file backed scripts.
Additional Information
The feature currently can deobfuscate scripts that are passed on the command line or directly loaded into memory
Feedback
thumb_up
Yes
thumb_down
No