• After upgrading from sensor version 3.8.x and below to 3.9.x and above, blocks for "image loaded" occur. Example:

  The process c:\windows\syswow64\inetsrv\w3wp.exe had a blocked image loaded
  c:\windows\syswow64\windowspowershell\v1.0\powershell.exe. A Terminate Policy Action was applied.

• confer.log shows:

  Terminate by policy:FE7B920A-4A43-48A4-97D6-485DDE059A90 rev:180 rule:FBC2363C-BF7D-4E41-90B8-F9109554B331 (Terminate load module)

• Carbon Black Cloud Sensor: 3.9.x and higher
• Microsoft Windows: All Supported Versions

False positive with new rules that were introduced in sensors 3.9+

Create a Sensor Operation Exclusions for the specific script / CMD  experiencing the false positive. Utilize the granular event data in the Alert Triage / Alert Details to make the exclusion as specific as possible.