Microsoft recommended block rules for DLLs

Livi_1 · ‎Nov 06 2022

Has anyone has experience working with the DLL rules.

Currently we have implemented Microsoft recommended block rules and noticed it is blocking a lot of application dlls. The blocked dll is frhook.dll.

Our initial thoughts would be that these dlls would be included within the microsoft allowed dll's, however I think that might not be the case. Does anyone know what is within the list of allowed DLLs within the Microsoft block rules?

An example from the code integrity logs is:

Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\FRHook.dll that did not meet the Windows signing level requirements.

Reference: DLL rules in AppLocker (Windows) - Windows security | Microsoft Learn

Rudy_Ooms_MVP · ‎Nov 07 2022

To be sure... are you using device guard or applocker... as that error that did not meet the Windows signing level requirements sounds like device guard (code integrity) And by the looks of it... did you configured some additional logging

Enable Code Integrity Event Logging and System Auditing - Windows drivers | Microsoft Learn

Livi_1 · ‎Nov 14 2022

We're using device guard - windows defender application control (WDAC) along with a 3rd party endpoint detection (Malwarebytes). However we're running windows defender in passive mode.

Code integrity logs are enabled by default.

Microsoft recommended block rules for DLLs

Microsoft recommended block rules for DLLs

Re: Microsoft recommended block rules for DLLs

Re: Microsoft recommended block rules for DLLs

Products (66)

Special Topics (42)

Video Hub (967)

Most Active Hubs

Most Active Hubs

Video Hub

Microsoft recommended block rules for DLLs

Microsoft recommended block rules for DLLs

Re: Microsoft recommended block rules for DLLs

Re: Microsoft recommended block rules for DLLs