Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

SCCM Inventory Process Causing Blocks

SCCM Inventory Process Causing Blocks

Version

Cb Protection (formerly Bit9) 7.2.3 and higher

Issue

When the SCCM inventory process runs, Execution Block (unapproved file) events are seen in the console.

Symptoms

If viewing the events in the console and adding the 'Rule Name' column to the results, the rule name is shown as  Report read-only memory map operations on unapproved executable by .NET applications.

The process shown generating the events is ccmexec.exe.

Cause

SCCM is configured to index executable or other files in the environment.   When the ccmexec.exe process does the inventory scan, it triggers the rule mentioned above, generating 'would have been blocked' events in the console.   A sample of an SCCM configuration is attached.

Solution

To resolve, a software rule can be created to allow read only memory map operations by ccmexec.exe.   The rule should be placed towards the top of the list to have a high priority. 

To create the rule in the console:

  1. Navigate to Rules > Software Rules > Custom.
  2. Add Custom Rule
  3. Set the following parameters:
    1. Rule Type: Advanced
    2. Operation: Execute
    3. Execute Action: Allow Read-Only Memory Map
    4. Path or File:   *.exe     (you can add additional extensions here if your SCCM is configured to inventory those)
    5. Process:  C:\windows\ccm\ccmexec.exe   (verify the exact location of your executable, different SCCM versions may use different locations)
    6. User or Group:   Local System
  4. Save the rule

A sample is shown below.

Sample_PO_Rule.png

Labels (1)
Attachments
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-26-2016
Views:
2585
Contributors