Carbon Black Cloud: Sensor Performance & Networking Issues When 'Svchost.exe mitigation' Option is Enabled in Microsoft Security Baseline Group Policy
Article ID: 292132
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- Long boot times
- Applications with Network connection issues
- Applications delayed opening
- High/Pegged CPU (by Service Host: Windows Management Instrumentation)
- Sensor Bypass does not resolve the issue
Environment
Carbon Black Cloud (formerly PSC) Sensor: 3.5+
- Endpoint Standard (Formerly CB Defense)
- Enterprise EDR (Formerly CB ThreatHunter)
Cause
- The Microsoft 'Enable svchost.exe mitigation options' policy in Windows 10 1903+ and Windows Server security baselines prevents the cbAMSI.dll from loading
- cbAMSI.dll meets all Microsoft AMSI provider signing requirements, but will still fail to load if this Microsoft Security Policy is enabled.
Resolution
Disable the 'Enable Svchost.exe mitigation options' Security Settings policy in the GPO Settings >
- System\Service Control Manager Settings\Security Settings - 'Enable Svchost.exe mitigation options'
Additional Information
To change the setting (other than inspecting the GPO setting), this can be performed via the registry...
(NOTE: If this setting is changed directly(disabled), it will revert(enabled) after reboot, once the GPO settings are applied, and any applications not already loaded prior to receiving the GPO, may continue to fail). Maintaining persistence is achieved via GPO, unless a GPO for this setting does not exist...
Open Windows Registry Editor (As Admin) - Click start > run, type regedit
From MS articles listed below:
"Important - Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software)."
"The first and most important change is that we are removing the Computer Configuration setting, “Enable svchost.exe mitigation options” (in System\Service Control Manager Settings\Security Settings) from the Windows 10 and Windows Server baselines at this time because of reports that in its current implementation it causes more compatibility issues than we had anticipated."
(NOTE: If this setting is changed directly(disabled), it will revert(enabled) after reboot, once the GPO settings are applied, and any applications not already loaded prior to receiving the GPO, may continue to fail). Maintaining persistence is achieved via GPO, unless a GPO for this setting does not exist...
Open Windows Registry Editor (As Admin) - Click start > run, type regedit
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig
- Verify if the following 'enabled' value exists 'EnableSvchostMitigationPolicy'=dword:00000001
- Change the dword value from 1 to 0, to disable
- Reboot to apply & persist setting (Unless GPO is in place)
From MS articles listed below:
"Important - Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software)."
"The first and most important change is that we are removing the Computer Configuration setting, “Enable svchost.exe mitigation options” (in System\Service Control Manager Settings\Security Settings) from the Windows 10 and Windows Server baselines at this time because of reports that in its current implementation it causes more compatibility issues than we had anticipated."
Feedback
Yes
No
Powered by
