logo

Knowledge Base

Access official resources from Carbon Black experts

Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: DLL Blocks On "c:\windows\assembly\nativeimages" Directory

App Control: DLL Blocks On "c:\windows\assembly\nativeimages" Directory

Environment

  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Symptoms

Agent is enforcing Execution Blocks on .dll files contained within the "c:\windows\assembly\nativeimages" directory.

Cause

These files are .NET native images dynamically compiled by .NET Runtimes on the endpoint and an Approval Method does not already exist.

Resolution

  1. Login to the Console and go to Rules > Software Rules > Custom > Add Custom Rule.
  2. Create a new Custom Rule using the following initial details: 
    Status: Enabled
Rule Type: Advanced
Operation:  Execute and Write
Execute Action: Allow
Write Action: Approve

File or path:
c:\windows\assembly\nativeimages_v*_32\*.dll
c:\windows\assembly\nativeimages_v*_64\*.ni.dll
c:\windows\assembly\nativeimages_v*_32\*.exe
c:\windows\assembly\nativeimages_v*_64\*.ni.exe

Process: 
List the processes that are executing the files, or use Any if those processes cannot be determined.

User or Group: 
Any User
  3. Click Save & Exit

Additional Notes

  • This Custom Rule could be further modified by adding an <OnlyIf> Macro if the files share a company value. For example: 
    <OnlyIf:Company:Microsoft*:<windows>\assembly\nativeimages_v*_32\*.dll>
  • More information on using Macros, and the available options, can be found in the Custom Software Rules chapter of the User Guide.

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎01-24-2019
Views:
1916
Contributors
logo