Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: App is blocked from injecting code, modifying memory of another process, or scraping memory (Unexpected Block)

Endpoint Standard: App is blocked from injecting code, modifying memory of another process, or scraping memory (Unexpected Block)

Environment

  • Carbon Black Cloud (Formerly PSC) Console: All Versions
  • Endpoint Standard (Formerly CB Defense) Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Symptoms

  • Did not configure policy rule for operation "**\<application name>.exe Scrapes memory of another process or Injects code or modifies memory of another process TERMINATE" 
  • Application has a Whitelist Reputation
  • Application is terminated when it attempts to inject code, modify memory of another process, or scrape memory
    Example:
The application C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". The operation was blocked and the application terminated by Cb Defense.

Cause

In addition to policy rules, the Endpoint Standard Sensor uses some additional criteria for injecting code and scraping memory events to determine if these events are truly malicious. 

Resolution

  • If the processes involved in the inject code and scrape memory events meet these additional criteria, these operations will be blocked regardless of the policy rules configured. 
  • Some of the criteria considered:
    • The process targeted by the scrape memory operation
    • The number of processes and the number of times which are being targeted by the scrape memory operation
    • The number of times the process is trying to modify memory or inject code 

Related Content


Was this article helpful? Yes No
40% helpful (2/5)
Article Information
Author:
Creation Date:
‎11-30-2018
Views:
3293