EDR: Why a lot of tamper alerts are triggered by "AlertCbCodeInjection" after upgrade to 7.2.0-win agent?
search cancel

EDR: Why a lot of tamper alerts are triggered by "AlertCbCodeInjection" after upgrade to 7.2.0-win agent?

book

Article ID: 291065

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why a lot of tamper alerts are triggered by "AlertCbCodeInjection" after upgrade to 7.2.0-win agent?

Environment

  • EDR sensor: 7.2.0 and later
  • Windows: All supported versions

Resolution

A new tamper detection was added after 7.2.0 release, which is the reason why new tamper alerts are triggered.

Additional Information

  • The alert "AlertCbCodeInjection" means that either EDR AMSI DLL (CbEDRAMSI.dll, used to monitor powershell commands) or the CLI tool that disables tamper protection (CbEDRCLI.exe) has been determined to not be the expected version or otherwise fails validation.
  • The alerts should be safely ignored as they are not that critical.
  • An enhancement to make the root cause clear for users in the console is in the roadmap now.
Powered by Wolken Software