Environment
- App Control Agent: 8.1.8 and Lower
- Microsoft Window: All Supported Versions
Symptoms
File locking on a randomly generated and randomly named file matching:
C:\users\<USERNAME>\Appdata\Local\Temp\expression_host_*.dll
Cause
This is caused by a temporary sharing violation on the analysis during write, of the DLL during the hashing process.
Resolution
Sharing violations are significantly reduced on agent versions 8.1.10 and higher. An upgrade the most recent release is recommended.
If upgrade is not possible, a work around can be applied to ignore the write of the DLL. This allows the hashing to take place further in the chain, when the execution of the DLL takes place. Enter a custom rule below:
Rule Type
Performance Optimization
Target File or Path
C:\Users\*\AppData\Local\Temp\expression_*.dll
Target Process
vbc.exe
Policy
If possible only select the policy, with the device effected
Additional Notes
The work around above, does reduce visibility to DLL matching the name, written to that directory. Please review, and approve with your security team.
Related Content