logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Report read-only memory map operations on unapproved executable by .NET applications

Report read-only memory map operations on unapproved executable by .NET applications

Version

7.2.3+

Topic

After upgrading to 7.2.3 there are many events for "* would have been blocked if policy settings were not in Report Only mode." while the endpoint in question is an enforced policy.

Q/A

Why am I starting to see these events?

By default we have added this new rule to address a vulnerability in which an attacker can "execute" .NET content without ever having to load the dll for execution

The mitigation for this was to deny the "read" instead of "execute". Any process hosting the .NET runtime that memory maps the .dll or .exe for read-only will be treated as an execute unless approved. By default this is set to report only, but can be changed to block or prompt based on which rules are enabled. (please see "notes" at the bottom first)

How can I confirm this is the rule causing this?

In the console you can add the column for "rule name" in the Reports > Events page. This will read out "Report read-only memory map operations on unapproved executable by .NET applications"

Is there any info on the vulnerability?

We have a few discussions here in the User eXchange forums. Please feel free to continue the discussion with additional questions or concerns.

https://community.carbonblack.com/message/5775#comment 

ShmooCon 2015 whitelisting vulnerability

Banned File Execution via InstallUtil.exe

How can I reduce these events?

Approving the dlls in question would suppress these events. You will need to do the research needed in order to determine if the file should be approved or not. Contact your sales rep for Professional Services help in safely tuning your environment.

Here's a whitepaper for "Enabling Script Rules After Implementation" that covers some general awareness.

Enabling New Script Rules After Implementation.pdf

I have an allow execute rule created for .NET files. Why am I still seeing these?

Allow execute rules only allow the .dll's to run, this would not cover the reads.

Notes:

By default this should only be report. If you are seeing blocks, please review this bulletin provided by release engineering. CRITICAL PRODUCT NOTICE – Cb Protection (Bit9 Platform) v7.2.3 Rules Block All DLLs. Do not enable.

Labels (2)
Labels:
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
bwhalen
Creation Date:
‎07-25-2016
Views:
3982
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.