• Unexpected reputation based blocks occurring on 4.1+ sensor
• Block event generally occurs shortly after boot and/or sensor service start
• Symptoms may include:
  • Events for applications being wrongly terminated.
    
    • Block event occurs that matches  'Unknown Application' > Invokes Fileless Script > Terminate, yet all associated artifacts—including the process, parent process, and fileless script—return a definitive (not unknown) reputation
  • False positive events for applications being terminated, without an actual termination occurring
    • Block event occurs that matches a "Unknown Application > Communicates over the network > Terminate
    • Netconn still shows as successful
    • This situation is a false positive, meaning that it shouldn't be terminated (and didn't) but it's logged as if it did

A rare, edge case scenario where a file's initial reputation status is logged as RESOLVING (Unknown) and although the reputation is subsequently updated the system continues to enforce (or falsely report) a block based on the original status. 

• The "false positive" blocks can be ignored.
• For terminations that should not be occurring, a Sensor Exclusion may be required.
• Reach out to Technical Support for assistance.

• The 4.2.0 Windows Sensor version will include a fix for this behavior and is expected Q2 2026 for GA release.
• This issue is being tracked under CRE-23145 and CRE-22848.