Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: The application [application] spawned [child application] while spoofing the parent PID of [other application]

Carbon Black Cloud: The application [application] spawned [child application] while spoofing the parent PID of [other application]

Environment

  • Carbon Black Cloud Windows Sensor: 3.9.x and Higher

Symptoms

  • Getting an increasing amount of alerts similar to 
    The application msedge_proxy.exe spawned msedge.exe while spoofing the parent PID of sihost.exe.
  • Reason code for alert "C7E86439-0A8D-47AB-AA70-C75FDB1F2DDC:C8174EEC-60D9-4446-A487-6CF96446C086"

Cause

This is being looked into with EA-22653

Resolution

  • A workaround may be to add the parent to the Approved List 
    • In the specific example above adding msedge_proxy.exe to the approved list may reduce these alerts
  • Please pull sensor logs and if possible reproduce the issue with procmon

Related Content


Was this article helpful? Yes No
80% helpful (4/5)
Article Information
Author:
Creation Date:
‎02-16-2023
Views:
4832
Contributors