FILELESS_SCRIPTLOAD is blocked by a Core Prevention Rule
search cancel

FILELESS_SCRIPTLOAD is blocked by a Core Prevention Rule

book

Article ID: 424941

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard

Issue/Introduction

Core Prevention rules like "Advanced Scripting Prevention" in Carbon Black Cloud can block FILELESS_SCRIPTLOAD actions causing alerts.

Environment

  • Carbon Black Cloud Console: Current Version
  • Carbon Black Cloud Sensor: All Versions

Cause

Core Preventions have rules based on behaviors that are not exposed in the console, but each Core Prevention has the ability to create exclusions. Sometimes a target hash Reputation update is enough to prevent a core prevention block, while other times a Core Prevention exclusion is required.

Resolution

FILELESS_SCRIPTLOAD blocks require creating a Core Prevention exclusion to prevent blocks and adding a target hash Reputation approval is insufficient.

  1. Click on Enforce > Policies > Click on the name of the policy assigned to the endpoint receiving the block alert for the Core Prevention
  2. Click on the Prevention Tab > Click the + for Core Prevention > Expand "Advanced Scripting Prevention"
  3. Click on Add Exclusion Rule
  4. Add Exclusion values for any combination of Process Path and/or Process CMD for the FILELESS_SCRIPTLOAD cmd interpreter (e.g. Powershell.exe or cmd.exe)
  5. Once the Core Prevention Exclusions has been added, wait for the sensor to update and then test and validate.
Powered by Wolken Software