Access official resources from Carbon Black experts
Advanced Search
IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!
CB Defense: App blocked\terminated when attempted to inject code into itself
Environment
Cb Defense PSC Console: All Versions
Cb Defense Sensor: All Versions
Microsoft Windows: All Supported Versions
Symptoms
The app reputation is NOT_LISTED or UNKNOWN
The application attempts to inject code into itself
An Alert is not created on the PSC Console
A block or terminate event may not be observed in the PSC Console
A block or terminate event will be observed in the Windows Application Event Log. Example:
Information MM/DD/YYYY HH:MM:SS PM CbDefense 17 None "Information: The application ""C:\path\appname.exe"" attempted to inject code into the process ""C:\path\appname.exe"" by calling the function ""SetWindowsHookExW"". The operation was blocked and the application terminated by Confer."
Resolution
Carbon Black is currently investigating the root cause and fix for this issue.
To workaround this issue in the meantime, the affected application(s) can be whitelisted to prevent a block or terminate action when the application attempts to inject code into itself.
