Environment
- EDR sensor: 7.2.0 and later
- Windows: All supported versions
Question
Why a lot of tamper alerts are triggered by "AlertCbCodeInjection" after upgrade to 7.2.0-win agent?
Answer
A new tamper detection was added after 7.2.0 release, which is the reason why new tamper alerts are triggered.
Additional Notes
- The alert "AlertCbCodeInjection" means that either EDR AMSI DLL (CbEDRAMSI.dll, used to monitor powershell commands) or the CLI tool that disables tamper protection (CbEDRCLI.exe) has been determined to not be the expected version or otherwise fails validation.
- The alerts should be safely ignored as they are not that critical.
- An enhancement to make the root cause clear for users in the console is in the roadmap now.
Related Content