Environment
- Carbon Black Cloud Sensor: Version 3.7.0.1253+
Symptoms
- After upgrading or installing sensor version 3.7.0.1253, there are a large number of Alerts for "inject code" via NtQueueApcThread in the Carbon Black Cloud Console.
- See Example Below:
The application c:\windows\explorer.exe attempted to inject code into the process "c:\program files\internet explorer\iexplore.exe", by calling the function "NtQueueApcThread". The operation was successful.
Cause
A limitation found in the 3.7 sensor causes the increased alerts
Resolution
- An initial fix in 3.7.0.1411 has reduced the number of alerts, but alerts can still be generated and will be addressed in a later release
- These alerts can be safely be dismissed until a resolution can be provided
- If "inject code" alerts are being observed for any other function besides "NtQueueApcThread", then please create a Support Case to investigate the issue further.
Related Content