CB Defense: App blocked\terminated when attempted to inject code into itself
search cancel

CB Defense: App blocked\terminated when attempted to inject code into itself

book

Article ID: 290243

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • The app reputation is NOT_LISTED or UNKNOWN
  • The application attempts to inject code into itself
  • An Alert is not created on the PSC Console
  • A block or terminate event may not be observed in the PSC Console
  • A block or terminate event will be observed in the Windows Application Event Log. Example:  
    Information	MM/DD/YYYY HH:MM:SS PM	CbDefense	17	None	"Information: The application ""C:\path\appname.exe"" attempted to inject code into the process ""C:\path\appname.exe"" by calling the function ""SetWindowsHookExW"". The operation was blocked and the application terminated by Confer."

Environment

  • Cb Defense PSC Console: All Versions
  • Cb Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

  • Carbon Black is currently investigating the root cause and fix for this issue. 
  • To workaround this issue in the meantime, the affected application(s) can be whitelisted to prevent a block or terminate action when the application attempts to inject code into itself.
Powered by Wolken Software