logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Observing a large number of alerts for code injection via NtQueueApcThread after upgrade to 3.7

Carbon Black Cloud: Observing a large number of alerts for code injection via NtQueueApcThread after upgrade to 3.7

Environment

  • Carbon Black Cloud Sensor: Version 3.7.0.1253+

Symptoms

  • After upgrading or installing sensor version 3.7.0.1253, there are a large number of Alerts for "inject code" via NtQueueApcThread in the Carbon Black Cloud Console.
  • See Example Below:
The application c:\windows\explorer.exe attempted to inject code into the process "c:\program files\internet explorer\iexplore.exe", by calling the function "NtQueueApcThread". The operation was successful.

Cause

A limitation found in the 3.7 sensor causes the increased alerts

Resolution

  • An initial fix in 3.7.0.1411 has reduced the number of alerts, but alerts can still be generated and will be addressed in a later release
  • These alerts can be safely be dismissed until a resolution can be provided
  • If "inject code" alerts are being observed for any other function besides "NtQueueApcThread", then please create a Support Case to investigate the issue further.

Related Content


Was this article helpful? Yes No
67% helpful (2/3)
Article Information
Author:
CB_Support
Creation Date:
‎06-09-2021
Views:
31330
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.