App Control: DLL Blocks On "c:\windows\assembly\nativeimages" Directory
search cancel

App Control: DLL Blocks On "c:\windows\assembly\nativeimages" Directory

book

Article ID: 286432

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Agent is enforcing Execution Blocks on .dll files contained within the "c:\windows\assembly\nativeimages" directory.

Environment

  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

The .NET Runtimes are dynamically generating these files on the endpoint. Some vendors rely upon these files being dynamically generated, and without an Approval Method in place the Agent will enforce execution blocks.

Resolution

Create a Custom Rule that will allow the current files to be executed, and future files to be issued a Local Approval:
  1. Log in to the Console and go to Rules > Software Rules > Custom > Add Custom Rule.
  2. Use the following details:
    • Rule Name: Approve Dynamic .NET Files (or something memorable)
    • Platform: Windows
    • Rule Type: Advanced
    • Operation: Execute and Write
    • Execute Action: Allow
    • Write Action: Approve
    • Path or File: <relevant files from Block Events, example:>
      • c:\windows\assembly\nativeimages_v*_32\*.dll
      • c:\windows\assembly\nativeimages_v*_64\*.ni.dll
      • c:\windows\assembly\nativeimages_v*_32\*.exe
      • c:\windows\assembly\nativeimages_v*_64\*.ni.exe
    • Process: <relevant Process(es), or use Any if they cannot be determined>
    • User: Any User
  3. Click Save & Exit

Additional Information

  • This Custom Rule could be further modified by adding an <OnlyIf> Macro if the files share a company value.
  • More information on using Macros, and the available options, can be found in the Custom Software Rules chapter of the User Guide.