• Alerts with the following information are seen in the Console

The application WmiPrvSE.exe was detected running. A Terminate Policy Action was applied. 
TTPs: RAM_SCRAPING, POLICY_TERMINATE, READ_SECURITY_DATA

The application GoogleUpdate.exe was detected running. A Terminate Policy Action was applied. 
TTPs: RAM_SCRAPING, POLICY_TERMINATE, READ_SECURITY_DATA

• Deployment may show as complete in SCCM
• Update may show installed on the Device

• CB Defense PSC Console: All Versions
• CB Defense Sensor: Version 3.0.2.2 and Higher
• Microsoft Windows 10 64-bit
• System Center Configuration Manager (SCCM)
• Windows Updates deployed by SCCM
• Policy contains a Blocking and Isolation Rule with following

Process: Unknown application or process
Operation Attempt: Scrapes memory of another process
Action: Terminate process

Set a Permission in the Policy for the process

1. Locate one of the Alerts generated
2. Copy the execution path from the Alert
3. Go to Enforce > Policies
4. Select the applicable Policy
5. Click on the Prevention tab
6. Expand Permissions section
7. Click "Add application path"
8. Enter the path from Step 2
9. Mark the Bypass checkbox for "Performs any API operation" 
10. Click the Confirm button
11. Click the Save button to save Policy changes

• It is possible that the process running the install or update may be terminated by the Sensor before finishing, which would require changes to the Policy and/or re-running the SCCM Deployment. 
• The environment listed above matches the currently known issue. If you have other versions of Windows or Sensors having this issue, please let us know through a Support case and we will update this article.