Carbon Black Cloud: Observing a large number of alerts for code injection via CreateRemoteThread after upgrade to 3.7.0.1253
Article ID: 285941
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- After upgrading or installing sensor version 3.7.0.1253, there are a large number of Alerts for "inject code" via CreateRemoteThread in the Carbon Black Cloud Console
- See Example Below:
The application c:\windows\system32\rundll32.exe attempted to inject code into the process "c:\windows\system32\searchindexer.exe", by calling the function "CreateRemoteThread". The operation was successful.
Environment
- Carbon Black Cloud Sensor (Windows): Version 3.7.0.1253
Cause
Issue currently under investigation
Resolution
- Carbon Black is currently investigating the root cause and fix for this issue
- These alerts can be safely be dismissed until a resolution can be provided
- If "inject code" alerts are being observed for any other function besides "CreateRemoteThread" or "NtQueueApcThread" (See Related Content Below), then please create a Support Case so we can investigate this issue further
Additional Information
Known issue "Unable to dismiss Alert "If this alert occurs in the future" is checked
Feedback
Yes
No
Powered by
