Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Seeing Block Events for "Block Loading of DEP Incompatible Images Into Carbon Black Processes" Rule

App Control: Seeing Block Events for "Block Loading of DEP Incompatible Images Into Carbon Black Processes" Rule

Environment

  • App Control Server (formerly CB Protection): All Supported Versions

Symptoms

  • Receiving an Event “Execution of “path\file.name” by “Domain\User” was blocked because of tamper protection  
  • Rule “Block loading of DEP incompatible images into Carbon Black (Bit9 for pre-8.0 versions) processes”.

Cause

A process is attempting to inject into our notifier’s or Parity.exe process memory

Resolution

There are four potential solutions for this issue:

Solution 1  
If the block is not impacting the functionality of the associated program (or the productivity of the user), choose to ignore the error

Solution 2
If the error is producing too much noise in the event log, create a view that doesn’t show these errors with the followings steps:
  1. Navigate to Console > Events
  2. Enable the following columns (if they haven’t been already) “Description”, and “Rule Name”
  3. Click on Show/Hide Filter
  4. Select “Rule Name” and “Is Not”
  5. Insert text: “Block loading of DEP incompatible images into Carbon Black (Bit9 for pre-8.0 versions) processes”
  6. Then go to the top, and type in a name for it (ex. Regular View - No DEP)
  7. Click “Add”
  8. This view will now show up in the saved views
Also, create a second view that shows the DEP blocks to see them separately 
  1. Navigate to Console > Events
  2. Enable the following columns (if they haven’t been already) “Description”, and “Rule Name”
  3. Click on Show/Hide Filter
  4. Select “Rule Name” and “Is”
  5. Insert text: “Block loading of DEP incompatible images into Carbon Black (Bit9 for pre-8.0 versions) processes”
  6. Then go to the top, and type in a name for it (ex. DEP Block View)
  7. Click “Add”
  8. This view will now show up in the saved views

Solution 3
If it's affecting the application due to the block, contact the software vendor to get an understanding on why their file needs to touch the Carbon Black (Bit9 for pre-8.0 versions) files and if it's possible to have them excluded

Solution 4
The last option is to create a rule to circumvent the DEP Block
*Please keep in mind that the rule below bypasses a certain tamper protect rule and the file being blocked may affect the App Control (Bit9 for pre-8.0 versions) files if such a file is making changes to the App Control (Bit9 for pre-8.0 versions) files
  1. Navigate to Console > Rules > Software Rules > Custom.
  2. Click on “Add Custom Rule”
Name: Ignore DEP for Program X
Description: Optional but encouraged
Status: Enabled
Platform: Windows
Rule Type: Execution Control
Execute Action: Allow
Path or File: Can be found in the “File Path” column for the DEP event
Process: Can be found in the “Process” column for the DEP event
User or Group: Up to you
Rule Applies to: Up to you
  1. Click on Save.

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-09-2020
Views:
683
Contributors