Environment
- Carbon Black Cloud Sensor: 3.9.0 and Higher
- Microsoft Windows: All Supported Versions
Symptoms
Large quantity of alerts in console reporting process injection via hollowing, triggered by rule "Report Process Hollowing".
Example:
The application xxx.exe injected code into another process (xxx.dll) via hollowing.
Cause
- The large quantity of these Alerts are due to a series of known issues in recent 3.9 Sensor versions.
- On 3.9.0.2357, the problem was identified and addressed in the resolution of DSEN-20840.
- On 3.9.1.2464, additional unexpected detections of this behavior were addressed by engineering under DSEN-22991, which was expected to be resolved in the 3.9.2 Sensor release.
- Additional instances of this were resolved in EA-23730 and EA-23451 which is resolved in 4.0.0.1292
Resolution
Upgrade to sensor version 4.0.0.1292
Related Content