Managing the Process Hollowing Protection Rapid Config
search cancel

Managing the Process Hollowing Protection Rapid Config

book

Article ID: 288529

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to enable and configure the Rapid Config for Process Hollowing Protection.

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: 8.9.0 or Higher 
  • Rules Installer: 1.20 or Higher
  • Microsoft Windows: All Supported Versions

Resolution

  1. Log in to the Console and navigate to Rules > Software Rules > Rapid Configs.
  2. Click View Details (pencil icon) for Process Hollowing Protection.
  3. Change the Status to Enabled.
  4. Fill in the required fields
    • Report or Block Process Hollowing Applications
    • Applications Allowed To Hollow Processes
  5. Click Save & Exit

Additional Information

  • It's recommended to start this Rapid Config in "Report" to monitor for false positives.
  • Trusted applications that trigger the Rapid Config should be added to the list: "Applications Allowed To Hollow Processes."
  • Wildcards are supported in this field. 
    Example:
    C:\Program Files (x86)\Acme Account\AcmeAcct.exe
    or
    *AcmeAcct.exe
  • More information on Process Hollowing can be found on the MITRE ATT&CK: Process Hollowing page.