Endpoint Standard: Test Rule for "Injects code or modifies memory of another process" missing TTP
search cancel

Endpoint Standard: Test Rule for "Injects code or modifies memory of another process" missing TTP

book

Article ID: 291954

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Logic for TTP: MODIFY_PROCESS_EXECUTION is not included in test rule search, but events with the TTP are blcoked with "Injects code or modifies memory of another process"  rule in place
 

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard

Cause

Test rule is missing TTP - DSER-27456

Resolution

When using the Test Rule feature, append OR ttp:MODIFY_PROCESS_EXECUTION to the query
Powered by Wolken Software