Endpoint Standard: SetWindowsHookExW Blocking Events
search cancel

Endpoint Standard: SetWindowsHookExW Blocking Events

book

Article ID: 292570

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Block events with no user pop-up notification
  • Block events may contain wording such as "C:\users\exampleuser\ExampleFile.pdf attempted to inject code into the process "C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe" by calling the function "SetWindowsHookExW". The operation was blocked and the application terminated by Confer
  • Application is prevented from completing operation, and may quit

Environment

  • Endpoint Standard Sensor: 3.6.x and Below
  • Microsoft Windows: All Supported Versions
  • Adobe Reader: All Versions
  • Adobe Acrobat Pro: All Versions

Cause

  • MS Windows App Hook 

Resolution

Add an API bypass rule for C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 
Applications at path: *:\**\AcroRd32.exe
Operation Attempt: Performs any API operation
Action: Bypass

OR...

Removing the Blocking & Isolation Rule for

Applications at path: **\*.pdf 
Operation Attempt: Injects code or modifies memory of another process
Action: Terminate process

Additional Information

  • This issue will be addressed with the release of the 3.7 Sensor (Release Date as yet, undetermined, but likely end of Q1 2021)
  • This article will be updated once the release and fix have been confirmed
Powered by Wolken Software