DLL Blocks On "c:\windows\assembly\nativeimages" Directory

search cancel

DLL Blocks On "c:\windows\assembly\nativeimages" Directory

book

Article ID: 286432

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Agent is enforcing Execution Blocks on .dll files contained within the "c:\windows\assembly\nativeimages" directory.

Environment

App Control Server: All Supported Versions
App Control Agent: All Supported Versions
Microsoft Windows: All Supported Versions

Cause

The .NET Runtimes are dynamically generating these files on the endpoint. Some vendors rely upon these files being dynamically generated, and without an Approval Method in place the Agent will enforce execution blocks.

Resolution

Create a Custom Rule that will allow the current files to be executed, and future files to be issued a Local Approval:

Log in to the Console and go to Rules > Software Rules > Custom > Add Custom Rule.
Use the following details:
- Rule Name: Approve Dynamic .NET Files (or something memorable)
- Platform: Windows
- Rule Type: Advanced
- Operation: Execute and Write
- Execute Action: Allow
- Write Action: Approve
- Path or File: <relevant files from Block Events, example:>
  - c:\windows\assembly\nativeimages_v*_32\*.dll
  - c:\windows\assembly\nativeimages_v*_64\*.ni.dll
  - c:\windows\assembly\nativeimages_v*_32\*.exe
  - c:\windows\assembly\nativeimages_v*_64\*.ni.exe
- Process: <relevant Process(es), or use Any if they cannot be determined>
- User: Any User
Click Save & Exit
Consider adding an AB Exclusion for .NET processes to further suppress some related Event & File data to prevent contributing to Server Backlog.

Additional Information

This Custom Rule could be further modified by adding an <OnlyIf> Macro if the files share a company value.
More information on using Macros, and the available options, can be found in the Custom Software Rules chapter of the User Guide.

Feedback

thumb_up Yes

thumb_down No