logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: Seeing Block Events for "Block Loading of DEP Incompatible Images Into Carbon Black Processes" Rule

App Control: Seeing Block Events for "Block Loading of DEP Incompatible Images Into Carbon Black Processes" Rule

Environment

  • App Control Server (formerly CB Protection): All Supported Versions

Symptoms

  • Receiving an Event “Execution of “path\file.name” by “Domain\User” was blocked because of tamper protection  
  • Rule “Block loading of DEP incompatible images into Carbon Black (Bit9 for pre-8.0 versions) processes”.

Cause

A process is attempting to inject into our notifier’s or Parity.exe process memory

Resolution

There are four potential solutions for this issue:

Solution 1  
If the block is not impacting the functionality of the associated program (or the productivity of the user), choose to ignore the error

Solution 2
If the error is producing too much noise in the event log, create a view that doesn’t show these errors with the followings steps:
  1. Navigate to Console > Events
  2. Enable the following columns (if they haven’t been already) “Description”, and “Rule Name”
  3. Click on Show/Hide Filter
  4. Select “Rule Name” and “Is Not”
  5. Insert text: “Block loading of DEP incompatible images into Carbon Black (Bit9 for pre-8.0 versions) processes”
  6. Then go to the top, and type in a name for it (ex. Regular View - No DEP)
  7. Click “Add”
  8. This view will now show up in the saved views
Also, create a second view that shows the DEP blocks to see them separately 
  1. Navigate to Console > Events
  2. Enable the following columns (if they haven’t been already) “Description”, and “Rule Name”
  3. Click on Show/Hide Filter
  4. Select “Rule Name” and “Is”
  5. Insert text: “Block loading of DEP incompatible images into Carbon Black (Bit9 for pre-8.0 versions) processes”
  6. Then go to the top, and type in a name for it (ex. DEP Block View)
  7. Click “Add”
  8. This view will now show up in the saved views

Solution 3
If it's affecting the application due to the block, contact the software vendor to get an understanding on why their file needs to touch the Carbon Black (Bit9 for pre-8.0 versions) files and if it's possible to have them excluded

Solution 4
The last option is to create a rule to circumvent the DEP Block
*Please keep in mind that the rule below bypasses a certain tamper protect rule and the file being blocked may affect the App Control (Bit9 for pre-8.0 versions) files if such a file is making changes to the App Control (Bit9 for pre-8.0 versions) files
  1. Navigate to Console > Rules > Software Rules > Custom.
  2. Click on “Add Custom Rule”
Name: Ignore DEP for Program X
Description: Optional but encouraged
Status: Enabled
Platform: Windows
Rule Type: Execution Control
Execute Action: Allow
Path or File: Can be found in the “File Path” column for the DEP event
Process: Can be found in the “Process” column for the DEP event
User or Group: Up to you
Rule Applies to: Up to you
  1. Click on Save.

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎11-09-2020
Views:
1427
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.