Process Hollowing Protection Rapid Config

Purpose: To report or prevent hollowing of processes.

Description: The minimum Carbon Black App Control Windows Agent version that is required to use this Rapid Config is 8.9.0.

With process hollowing, arbitrary code can be executed in the address space of a separate live process. The Carbon Black App Control Windows Agent can detect process hollowing and, based on the action of rules, report on or terminate the hollowed process and/or its parent. The Process Hollowing Protection Rapid Config enables rules to handle the required action after process hollowing is detected.

Process Hollowing Protection Rapid Config events, for example, custom rule report execution events and execution block events, are displayed on the server console.


Enabled by Default:	No
Platform:	Windows
Minimum Agent Version Required:	8.9.0

The Edit Rapid Config page for the Process Hollowing Protection Rapid Config

Rapid Config Settings

As with most rapid configs, you can:

Enable or disable the rapid config.
Specify what policies the rapid config applies to.

In addition, you can choose to Report or Block process hollowing applications.

Note: RECOMMENDATION: We recommend setting each section to Report prior to setting to Block. Use the resulting events to ensure that legitimate behavior will not be impacted.

For each of the following sections, specify what action you require.

Hollowed Applications

Use this group to specify how to treat application hollowing.

The Hollowed Applications settings for the Process Hollowing Rapid Config

*Report Or Block Process Hollowing Applications:: Should process hollowing applications be reported or blocked? You should validate that legitimate process hollowing is not blocked before enabling blocking.
Applications Allowed to Hollow Processes:: Hollowing by these processes will not be reported or blocked. This helps prevent the possibility of having false positive results.