VMware Carbon Black Cloud Endpoint Increase of Code Injection Alerts Using CreateRemoteThread or NtQueueApcThread

Affected Products:

• VMware Carbon Black Cloud Endpoint

Affected Versions:

• v3.7.0.1253

After upgrading or installing sensor version 3.7.0.1253, you may see an increase in observed alerts for code injection by calling for the functions CreateRemoteThread or NtQueueApcThread.

Support is investigating the changes that caused the increase of observed alerts for a permanent fix.

You can safely dismiss the inject code alerts that are being observed for the functions of CreateRemoteThread or NtQueueApcThread.

To verify and dismiss these alerts

1. In a web browser, go to [REGION].conferdeploy.net.
   Note: [REGION] = Region of tenant

   • Americas = https://defense-prod05.conferdeploy.net
   • Europe = https://defense-eu.conferdeploy.net/
   • Asia Pacific = https://defense-prodnrt.conferdeploy.net/
   • Australia and New Zealand = https://defense-prodsyd.conferdeploy.net
2. Sign In to the VMware Carbon Black Cloud.
   
3. In the left menu pane, click Alerts.
   
4. Click the carrot to expand the alert.
   
5. Click the Investigate icon.
   
6. Verify the function being called is either CreateRemoteThread or NtQueueApcThread.
   
   Note: If inject code alerts are being observed for any other function besides CreateRemoteThread or NtQueueApcThread, reach out to support to investigate further. Reference How to Get Support for VMware Carbon Black Cloud Endpoint.
7. Expand the corresponding event and click Dismiss Alert.
   
8. Click Dismiss
   
   Note: You can elect to dismiss all future occurrences by checking the field next to If this alert occurs in the future, automatically dismiss it from all devices.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.