Carbon Black Cloud: The application [application] spawned [child application] while spoofing the parent PID of [other application]
search cancel

Carbon Black Cloud: The application [application] spawned [child application] while spoofing the parent PID of [other application]

book

Article ID: 289338

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Getting an increasing amount of alerts similar to  
    The application msedge_proxy.exe spawned msedge.exe while spoofing the parent PID of sihost.exe.
  • Reason code for alert "C7E86439-0A8D-47AB-AA70-C75FDB1F2DDC:C8174EEC-60D9-4446-A487-6CF96446C086"

Environment

  • Carbon Black Cloud Windows Sensor: 3.9.x and Higher

Cause

This is being looked into with EA-22653

Resolution

  • A workaround may be to add the parent to the Approved List 
    • In the specific example above adding msedge_proxy.exe to the approved list may reduce these alerts
  • Please pull sensor logs and if possible reproduce the issue with procmon
Powered by Wolken Software