Managing the Process Hollowing Protection Rapid Config
search cancel

Managing the Process Hollowing Protection Rapid Config


Article ID: 288529


Updated On:


Carbon Black App Control (formerly Cb Protection)


Steps to enable and configure the Rapid Config for Process Hollowing Protection.


  • App Control Console: All Supported Versions
  • App Control Agent: 8.9.0 or Higher 
  • Rules Installer: 1.20 or Higher
  • Microsoft Windows: All Supported Versions


  1. Log in to the Console and navigate to Rules > Software Rules > Rapid Configs.
  2. Click View Details (pencil icon) for Process Hollowing Protection.
  3. Change the Status to Enabled.
  4. Fill in the required fields
    • Report or Block Process Hollowing Applications
    • Applications Allowed To Hollow Processes
  5. Click Save & Exit

Additional Information

  • It's recommended to start this Rapid Config in "Report" to monitor for false positives.
  • Trusted applications that trigger the Rapid Config should be added to the list: "Applications Allowed To Hollow Processes."
  • Wildcards are supported in this field. 
    C:\Program Files (x86)\Acme Account\AcmeAcct.exe
  • More information on Process Hollowing can be found on the MITRE ATT&CK: Process Hollowing page.