Environment
- App Control Server: All Supported Versions
- App Control Agent: All Supported Versions
- Microsoft Windows: All Supported Versions
Symptoms
Agent is enforcing Execution Blocks on .dll files contained within the "c:\windows\assembly\nativeimages" directory.
Cause
The .NET Runtimes are dynamically generating these files on the endpoint. Some vendors rely upon these files being dynamically generated, and without an Approval Method in place the Agent will enforce execution blocks.
Resolution
Create a Custom Rule that will allow the current files to be executed, and future files to be issued a Local Approval:
- Log in to the Console and go to Rules > Software Rules > Custom > Add Custom Rule.
- Use the following details:
- Rule Name: Approve Dynamic .NET Files (or something memorable)
- Platform: Windows
- Rule Type: Advanced
- Operation: Execute and Write
- Execute Action: Allow
- Write Action: Approve
- Path or File: <relevant files from Block Events, example:>
- c:\windows\assembly\nativeimages_v*_32\*.dll
- c:\windows\assembly\nativeimages_v*_64\*.ni.dll
- c:\windows\assembly\nativeimages_v*_32\*.exe
- c:\windows\assembly\nativeimages_v*_64\*.ni.exe
- Process: <relevant Process(es), or use Any if they cannot be determined>
- User: Any User
- Click Save & Exit
Additional Notes
- This Custom Rule could be further modified by adding an <OnlyIf> Macro if the files share a company value.
- More information on using Macros, and the available options, can be found in the Custom Software Rules chapter of the User Guide.
Related Content