Endpoint Standard: False Positive Blocks on macOS Sensors for Microsoft Office Applications
Article ID: 292453
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Blocks being seen for legitimate Microsoft Office updates
Environment
- Carbon Black Cloud: All Versions
- Carbon Black Cloud Endpoint Standard: macOS Sensor
- Operating System: macOS
Cause
Microsoft Office upgrades on macOS devices invoke the /sh command. This has been confirmed as expected behavior.
Resolution
The fix is to replace the current Mac Office rules, with the rules intended for this use-case; as described in the "Mac Policy Guidelines" document on UeX.
Specifically, migrate the rules from matching the Office application paths:
To their corresponding Office Macro extensions for Mac:
For the following Operations:
Specifically, migrate the rules from matching the Office application paths:
**/Microsoft Word.app/** **/Microsoft PowerPoint.app/** **/Microsoft Excel.app/**
To their corresponding Office Macro extensions for Mac:
/**.pptm /**.docm /**.xlsm
For the following Operations:
Scrapes memory of another process Invokes an untrusted process Invokes a command interpreter Injects code or modifies memory of another process
Feedback
Yes
No
Powered by
