Help Center.NET DLL Files
In ThreatLocker Windows Agent versions below 10.0, some .NET DLL files, where reported by the calling executable to Windows as a 'Read', and were treated as such by ThreatLocker.
Beginning in Windows Agent 10.0, these files are being recategorized by ThreatLocker as 'Executes', and therefore subject to Application Control policies.
Computers that were originally deployed on versions before 10.x and then upgraded to 10.x may see an increase of such DLL files being denied. This will likely be more impactful in organizations with ongoing in-house development.
To assist with unwanted .NET dll blocks, ThreatLocker has 'Options' that can be enabled for a specific computer, group, or the entire organization.
- DotnetDllLearnComputer – This will apply to a specific computer and will enable .NET DLLs to be learned and permitted at the computer level.
- DotnetDllLearnGroup – This will apply to a specific computer group and will enable .NET DLLs to be learned and permitted at the computer group level.
- DotnetDllLearnSystem – This will allow .NET DLLs to be learned into the System Policies at the computer level.
- DotnetDllMonitorOnly – This will monitor .NET DLLs on the computer/group/org based on where the options tab was opened. No files will be learned, but all activity will be captured in the Unified Audit.
The above options applied appropriately will likely alleviate these .NET dll blocks. We do however, recommend addition of additional custom rules where necessary, especially for apps that are developed in-house and are therefore likely to change.
If you require assistance or want more information, please reach out to the Cyber Hero Support Team.
Computers that are freshly installed with Windows Agent 10.0 or greater will not be impacted.