Access official resources from Carbon Black experts
7.2.3+
After upgrading to 7.2.3 there are many events for "* would have been blocked if policy settings were not in Report Only mode." while the endpoint in question is an enforced policy.
By default we have added this new rule to address a vulnerability in which an attacker can "execute" .NET content without ever having to load the dll for execution
The mitigation for this was to deny the "read" instead of "execute". Any process hosting the .NET runtime that memory maps the .dll or .exe for read-only will be treated as an execute unless approved. By default this is set to report only, but can be changed to block or prompt based on which rules are enabled. (please see "notes" at the bottom first)
In the console you can add the column for "rule name" in the Reports > Events page. This will read out "Report read-only memory map operations on unapproved executable by .NET applications"
We have a few discussions here in the User eXchange forums. Please feel free to continue the discussion with additional questions or concerns.
https://community.carbonblack.com/message/5775#comment
ShmooCon 2015 whitelisting vulnerability
Banned File Execution via InstallUtil.exe
Approving the dlls in question would suppress these events. You will need to do the research needed in order to determine if the file should be approved or not. Contact your sales rep for Professional Services help in safely tuning your environment.
Here's a whitepaper for "Enabling Script Rules After Implementation" that covers some general awareness.
Enabling New Script Rules After Implementation.pdf
Allow execute rules only allow the .dll's to run, this would not cover the reads.
By default this should only be report. If you are seeing blocks, please review this bulletin provided by release engineering. CRITICAL PRODUCT NOTICE – Cb Protection (Bit9 Platform) v7.2.3 Rules Block All DLLs. Do not enable.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.