Steps to enable and configure the Rapid Config for Process Hollowing Protection.

• App Control Console: All Supported Versions
• App Control Agent: 8.9.0 or Higher 
• Rules Installer: 1.20 or Higher
• Microsoft Windows: All Supported Versions

1. Log in to the Console and navigate to Rules > Software Rules > Rapid Configs.
2. Click View Details (pencil icon) for Process Hollowing Protection.
3. Change the Status to Enabled.
4. Fill in the required fields
   • Report or Block Process Hollowing Applications
   • Applications Allowed To Hollow Processes
5. Click Save & Exit

• It's recommended to start this Rapid Config in "Report" to monitor for false positives.
• Trusted applications that trigger the Rapid Config should be added to the list: "Applications Allowed To Hollow Processes."
• Wildcards are supported in this field. 

  Example:
  C:\Program Files (x86)\Acme Account\AcmeAcct.exe
  or
  *AcmeAcct.exe

• More information on Process Hollowing can be found on the MITRE ATT&CK: Process Hollowing page.