We are unclear on what the CodeDeploy agent is doing. We see that it creates a ruby interpreter somewhere in a temporary folders in c:\windows\temp and then we see it executes a script winagent.rb. Once that newly deployed ruby interpreter runs that script, Endgame sees Rubyw.exe inject itself which it then stops this at it views this as process injection.
We have some whitelisting options, however due to the way the codedeploy agent deploys the ruby interpreter (as the system account and not a service account, into a random path, and into a user-writable directory), it gets tricky. We don't want to whitelist everything in temp directory. If there is already an environment path for a ruby interpreter, will codedeploy use that, or will it create a Rubyw.exe in the temp directory?
We are unclear on what the CodeDeploy agent is doing. We see that it creates a ruby interpreter somewhere in a temporary folders in c:\windows\temp and then we see it executes a script winagent.rb. Once that newly deployed ruby interpreter runs that script, Endgame sees Rubyw.exe inject itself which it then stops this at it views this as process injection.
We have some whitelisting options, however due to the way the codedeploy agent deploys the ruby interpreter (as the system account and not a service account, into a random path, and into a user-writable directory), it gets tricky. We don't want to whitelist everything in temp directory. If there is already an environment path for a ruby interpreter, will codedeploy use that, or will it create a Rubyw.exe in the temp directory?