Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Why a lot of tamper alerts are triggered by "AlertCbCodeInjection" after upgrade to 7.2.0-win agent?

EDR: Why a lot of tamper alerts are triggered by "AlertCbCodeInjection" after upgrade to 7.2.0-win agent?

Environment

  • EDR sensor: 7.2.0 and later
  • Windows: All supported versions

Question

Why a lot of tamper alerts are triggered by "AlertCbCodeInjection" after upgrade to 7.2.0-win agent?

Answer

A new tamper detection was added after 7.2.0 release, which is the reason why new tamper alerts are triggered.

Additional Notes

  • The alert "AlertCbCodeInjection" means that either EDR AMSI DLL (CbEDRAMSI.dll, used to monitor powershell commands) or the CLI tool that disables tamper protection (CbEDRCLI.exe) has been determined to not be the expected version or otherwise fails validation.
  • The alerts should be safely ignored as they are not that critical.
  • An enhancement to make the root cause clear for users in the console is in the roadmap now.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎03-31-2022
Views:
219
Contributors