• A .NET vulnerability would allow attackers to "execute" .NET content without having to load a .dll or .exe file.
• This Custom Rule triggers when a read operation occurs on an Unapproved File.
• Known-good, trusted files, should have an Approval Method to prevent them being written as Locally Unapproved whenever possible.

Reminders:

• This Custom Rule triggers due to the Read operation on an Unapproved File
  • Execution Control (Allow) Rules will not suppress the Event as they do not cover the Read operation.
• This Custom Rule is in Report Only by default and does not actually enforce any Unapproved Blocks.
  • This is by design to allow for environmental tuning for known-good, trusted applications.
  • After environmental tuning is complete this Custom Rule should be disabled in favor of the Custom Rule, Deny read-only memory map operations on unapproved executables by .NET applications

Preventing the Custom Rule from triggering:

Either of the following options will prevent this Custom Rule from triggering for known-good, trusted applications. Review the options below and discuss with your internal teams to determine which option aligns best for the application and environment:

• Approve the File triggering the Custom Rule, examples:
  • Retroactively issuing Local Approvals
  • File Creation Control (Approve) Rule
  • Approval Workflow for New Unapproved File Events
• Add the Process from the Block Event to the Custom Rule, Do not treat these processes as .NET applications
  • In some instances it may not be possible or advisable (ex: cmd.exe) to add the process responsible for these Events.
  • The combinations of processes required to add for a single application may be more than the combination required for a File Creation Control Rule.