logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Large Quantity of Alerts Due to Process Injection Via Hollowing

Carbon Black Cloud: Large Quantity of Alerts Due to Process Injection Via Hollowing

Environment

  • Carbon Black Cloud Sensor: 3.9.0 and Higher
  • Microsoft Windows: All Supported Versions

Symptoms

Large quantity of alerts in console reporting process injection via hollowing, triggered by rule "Report Process Hollowing".

Example:

The application xxx.exe injected code into another process (xxx.dll) via hollowing.

Cause

  • The large quantity of these Alerts are due to a series of known issues in recent 3.9 Sensor versions.
  • On 3.9.0.2357, the problem was identified and addressed in the resolution of DSEN-20840.
  • On 3.9.1.2464, additional unexpected detections of this behavior are currently being addressed by engineering under DSEN-22991, which is expected to be resolved in the 3.9.2 Sensor release.

Resolution

Upgrade Sensor version to 3.9.1 or 3.9.2, when it becomes available.

Was this article helpful? Yes No
78% helpful (7/9)
Article Information
Author:
CB_Support
Creation Date:
‎01-13-2023
Views:
9911
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.