Skip to main content
Solved

Known Behavior of execmd.ps1?

F
Forum|alt.badge.img

Looking to validate events from an EDR related to amagent activity.  Are these known behavior?

The script C:\programdata\amagent\execdir775765479\execcmd799295514.ps1 attempted to create a viewable window, by calling the function "CreateWindowExW". The operation was successful.

The script C:\programdata\amagent\execdir775765479\execcmd799295514.ps1 attempted to modify the next instruction to execute in the process "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe". The operation was blocked and the application terminated by Cb Defense.

 

Best answer by JohnG-Automox

Hi @filemod !


Just checking in and seeing if this is still an issue for you.

In the example you provided, it appears that CB Defense is blocking the invocation of the Automox Agent’s (Powershell) scripts under the C:\programdata\amagent\execdir directory.

If you are still experiencing this behavior, I recommend taking a look at our 
Globally Trust-listing Automox Through EPP Application Control article to ensure your EPP is setup correctly to work with the Automox Agent. For Carbon Black, you will need to set up your App Control policies to allow our agent.

You may also need to whitelist our agent directories explicitly if you are still experiencing issues.

If you need a hand with this process, please open up a ticket with our support team so they can guide you through the process.

 

Have a great day!

 

View original
C
1 person likes this
  • C
    chewbie
How helpful was this post to you?

4 replies

A
  • Anonymous
  • 0 replies
  • March 16, 2022

Hmm...actually, let me double-check with a couple of teams to get some feedback. Thanks for posting! 

C
  • chewbie
  • Rookie
  • 1 reply
  • December 11, 2023
Anonymous wrote:

Hmm...actually, let me double-check with a couple of teams to get some feedback. Thanks for posting! 

 

JohnG-Automox
Forum|alt.badge.img
  • JohnG-Automox
  • Automox Employee
  • 121 replies
  • Answer
  • December 11, 2023

Hi @filemod !


Just checking in and seeing if this is still an issue for you.

In the example you provided, it appears that CB Defense is blocking the invocation of the Automox Agent’s (Powershell) scripts under the C:\programdata\amagent\execdir directory.

If you are still experiencing this behavior, I recommend taking a look at our 
Globally Trust-listing Automox Through EPP Application Control article to ensure your EPP is setup correctly to work with the Automox Agent. For Carbon Black, you will need to set up your App Control policies to allow our agent.

You may also need to whitelist our agent directories explicitly if you are still experiencing issues.

If you need a hand with this process, please open up a ticket with our support team so they can guide you through the process.

 

Have a great day!

 

F
Forum|alt.badge.img
  • filemod
  • Author
  • Rookie
  • 2 replies
  • January 23, 2024

Hi John,

Not so much an issue, but still getting some alerts on Automox related activity.  I’ve done some Carbon Black hash approvals to reduce the alerts, I’ll check the links you shared.

 

Thanks,

JohnG-Automox
1 person likes this
  • JohnG-Automox
    JohnG-Automox

Reply


Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings