Report Read-Only Memory Map Operations on Unapproved Executable by .NET Applications
Article ID: 286762
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
- Events generated in Console with the Rule Name, "Report read-only memory map operations on unapproved executable by .NET applications".
- Events generated in Console with Description similar to:
File C:\Program Files (x86)\ACME Account\software.exe [7C2200C82566DF4CCA6CDDDEF1CD0F03E469C0F5B2E0E93EDEA9BBF325A9AF88] would have blocked if the rule was not in Report Only mode.
Environment
- App Control Agent: All Supported Versions
- App Control Console: All Supported Versions
- Microsoft Windows: All Supported Versions
Cause
Due to a .NET vulnerability (which would allow attackers to "execute" .NET content without having to load the .dll or .exe file) a Custom Rule is included with App Control to detect read operations that match this vulnerability.
Resolution
By default this Custom Rule is in Report Only mode to allow for environmental tuning before changing the Custom Rule to enforce Block Events.
If a trusted Process or File is triggering this Custom Rule:
If a trusted Process or File is triggering this Custom Rule:
- Approve the File triggering the Block Events.
- Add the Process from the Block Event to the Custom Rule, "Do not treat these processes as .NET applications".
Additional Information
- "Allow Execute" rules will not suppress the Events, as the rule would not cover the "reads" which is actually what is triggering the rule
- Be sure to research the DLLs triggering the Custom Rule before issuing Approvals to make sure they don't pose a threat to your environment.
Feedback
Yes
No
Powered by
