Carbon Black Cloud: Observing a large number of alerts for code injection via NtQueueApcThread after upgrade to 3.7

Carbon Black Cloud: Observing a large number of alerts for code injection via NtQueueApcThread after upgrade to 3.7

Environment

  • Carbon Black Cloud Sensor: Version 3.7.0.1253+

Symptoms

  • After upgrading or installing sensor version 3.7.0.1253, there are a large number of Alerts for "inject code" via NtQueueApcThread in the Carbon Black Cloud Console.
  • See Example Below:
The application c:\windows\explorer.exe attempted to inject code into the process "c:\program files\internet explorer\iexplore.exe", by calling the function "NtQueueApcThread". The operation was successful.

Cause

A limitation found in the 3.7 sensor causes the increased alerts

Resolution

  • An initial fix in 3.7.0.1411 has reduced the number of alerts, but alerts can still be generated and will be addressed in a later release
  • These alerts can be safely be dismissed until a resolution can be provided
  • If "inject code" alerts are being observed for any other function besides "NtQueueApcThread", then please create a Support Case to investigate the issue further.

Related Content


Was this article helpful? Yes No
67% helpful (2/3)
Article Information
Author:
Creation Date:
‎06-09-2021
Views:
30081
Contributors