Carbon Black Cloud: Large Quantity of Alerts Due to Process Injection Via Hollowing
search cancel

Carbon Black Cloud: Large Quantity of Alerts Due to Process Injection Via Hollowing

book

Article ID: 291202

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Large quantity of alerts in console reporting process injection via hollowing, triggered by rule "Report Process Hollowing".

Example:

The application xxx.exe injected code into another process (xxx.dll) via hollowing.

Environment

  • Carbon Black Cloud Sensor: 3.9.0 and Higher
  • Microsoft Windows: All Supported Versions

Cause

  • The large quantity of these Alerts are due to a series of known issues in recent 3.9 Sensor versions.
  • On 3.9.0.2357, the problem was identified and addressed in the resolution of DSEN-20840.
  • On 3.9.1.2464, additional unexpected detections of this behavior were addressed by engineering under DSEN-22991, which was expected to be resolved in the 3.9.2 Sensor release.
  • Additional instances of this were resolved in EA-23730 and EA-23451 which is resolved in 4.0.0.1292

Resolution

Upgrade to sensor version 4.0.0.1292
Powered by Wolken Software