Access official resources from Carbon Black experts
Cb Protection (formerly Bit9) 7.2.3 and higher
When the SCCM inventory process runs, Execution Block (unapproved file) events are seen in the console.
If viewing the events in the console and adding the 'Rule Name' column to the results, the rule name is shown as Report read-only memory map operations on unapproved executable by .NET applications.
The process shown generating the events is ccmexec.exe.
SCCM is configured to index executable or other files in the environment. When the ccmexec.exe process does the inventory scan, it triggers the rule mentioned above, generating 'would have been blocked' events in the console. A sample of an SCCM configuration is attached.
To resolve, a software rule can be created to allow read only memory map operations by ccmexec.exe. The rule should be placed towards the top of the list to have a high priority.
To create the rule in the console:
A sample is shown below.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.