Multiple false positive alerts are being generated in the Carbon Black Cloud console where "c:\windows\system32\werfault.exe" is attempting to open a thread handle.

• Carbon Black Cloud Console: Prior to November 20, 2025 at 15:15pm EST
• Carbon Black Cloud Windows Sensor: Supported Versions
• Microsoft Windows OS: Supported Versions

CBC DRE rule for Tamper Protection was updated on November 19th, 2025 and started to create false positive alerts.

A DRE rule fix was pushed out to all CBC ORGs on November 20th, 2025 at 15:15 EST. There are no other changes required.