You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are unclear on what the CodeDeploy agent is doing. We see that it creates a ruby interpreter somewhere in a temporary folders in c:\windows\temp and then we see it executes a script winagent.rb. Once that newly deployed ruby interpreter runs that script, Endgame sees Rubyw.exe inject itself which it then stops this at it views this as process injection.
We have some whitelisting options, however due to the way the codedeploy agent deploys the ruby interpreter (as the system account and not a service account, into a random path, and into a user-writable directory), it gets tricky. We don't want to whitelist everything in temp directory. If there is already an environment path for a ruby interpreter, will codedeploy use that, or will it create a Rubyw.exe in the temp directory?
The text was updated successfully, but these errors were encountered:
We are unclear on what the CodeDeploy agent is doing. We see that it creates a ruby interpreter somewhere in a temporary folders in c:\windows\temp and then we see it executes a script winagent.rb. Once that newly deployed ruby interpreter runs that script, Endgame sees Rubyw.exe inject itself which it then stops this at it views this as process injection.
We have some whitelisting options, however due to the way the codedeploy agent deploys the ruby interpreter (as the system account and not a service account, into a random path, and into a user-writable directory), it gets tricky. We don't want to whitelist everything in temp directory. If there is already an environment path for a ruby interpreter, will codedeploy use that, or will it create a Rubyw.exe in the temp directory?
The text was updated successfully, but these errors were encountered: