PSC: How to re-enable services disabled by the sensor
search cancel

PSC: How to re-enable services disabled by the sensor

book

Article ID: 291944

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How to re-enable services disabled by the sensor

Environment

  • CB Defense PSC Console: All Versions
  • CB Defense PSC Sensor: 3.5 and above
  • Microsoft Windows: All Supported Versions

Resolution

To re-enable the service, this must be done manually by using Live Response or other standard tools. The command for remediation through CB Live Response is:
  1. Query the service start type exec 
    execfg sc.exe qc <servicename>
  2. Change the start type using the command: execfg sc.exe config  
    execfg sc.exe config <servicename> start=<starttype>
    NOTE: The possible start types are: boot | system | auto | demand | disabled | delayed-auto

Additional Information

  • Live Response is enabled by default and can be disabled by a request to Support.
  • The event that is sent when the service is disabled contains the original start type and displays in the user interface. The user needs this data to return the start type to its original value. If the start type changes to boot, auto or delayed-auto, they must reboot.
  • Malicious services that run at start-up have the potential to execute and impact the endpoint before the sensor starts up.
  • If the sensor disables the malware service, the service(s) remain in disabled state across reboots, and therefore cannot execute at startup.
  • If a service binary in question was not malicious or if some other tool is used to clean the malware, then the sensor will not automatically enable the service again.
  • This feature only applies to files with a Known Malware reputation, so it is possible that files with Company Blacklist, Suspect/Heuristic Malware, Adware/PUP Malware reputation may execute on device boot-up if they are started before the sensor service
  • This feature will not take effect if prevention rule "Known malware Runs or is running" Deny\Terminate is not enabled on the device policy
Powered by Wolken Software