Endpoint Standard: Explorer.exe Terminated When Navigating To Certain Directories
Article ID: 291599
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- A file with Suspect Malware or Known Malware reputation is located on an endpoint's file system.
- A file resides in a directory with a relevant path-based "Runs or is running" Prevention rule for that filename or type. Example:
Applications at path: C:\Users\*\Downloads\*.exe > Runs or is running > Terminate process
- Navigating to the directory containing this file causes explorer.exe to be repeatedly terminated.
Environment
- Carbon Black Cloud Console: All Supported Versions
- Endpoint Standard Sensor: 3.9.0 - 3.9.1
- Microsoft Windows: All Supported Versions
Cause
The issue is caused by a product defect in early 3.9 Sensor versions, tracked under DSEN-23911.
Resolution
- Upgrade to Sensor 3.9.2, which contains a fix for this bug. From the Release Notes:
DSEN-23911: Fixed an issue where explorer.exe was terminated when browsing directories that contained banned or malicious files
- Alternatively, either workaround below can be implemented, depending on the cause of the block.
- If a file in the directory inciting the crash has a Suspect Malware or Known Malware reputation, manually add the hash to the Banned List using these steps.
- If the file is subject to a path-based "Runs or is running" Prevention rule, remove the file or taper back the Prevention rule to something other than the "Runs or is running" operation.
Additional Information
Removing a "Runs or is running" Prevention rule may allow a process to run, if it does not violate Policy rules for any additional operations.
Feedback
Yes
No
Powered by
