Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: DLL Blocks On "c:\windows\assembly\nativeimages" Directory

App Control: DLL Blocks On "c:\windows\assembly\nativeimages" Directory

Environment

  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Symptoms

Agent is enforcing Execution Blocks on .dll files contained within the "c:\windows\assembly\nativeimages" directory.

Cause

These files are .NET native images dynamically compiled by .NET Runtimes on the endpoint and an Approval Method does not already exist.

Resolution

  1. Login to the Console and go to Rules > Software Rules > Custom > Add Custom Rule.
  2. Create a new Custom Rule using the following initial details:
    Status: Enabled
    Rule Type: Advanced
    Operation:  Execute and Write
    Execute Action: Allow
    Write Action: Approve
    
    File or path:
    c:\windows\assembly\nativeimages_v*_32\*.dll
    c:\windows\assembly\nativeimages_v*_64\*.ni.dll
    c:\windows\assembly\nativeimages_v*_32\*.exe
    c:\windows\assembly\nativeimages_v*_64\*.ni.exe
    
    Process: 
    List the processes that are executing the files, or use Any if those processes cannot be determined.
    
    User or Group: 
    Any User
    
  3. Click Save & Exit

Additional Notes

  • This Custom Rule could be further modified by adding an <OnlyIf> Macro if the files share a company value. For example:
    <OnlyIf:Company:Microsoft*:<windows>\assembly\nativeimages_v*_32\*.dll>
  • More information on using Macros, and the available options, can be found in the Custom Software Rules chapter of the User Guide.

Related Content


Labels (1)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎01-24-2019
Views:
1916
Contributors