Nov 06 2022 03:59 PM
Has anyone has experience working with the DLL rules.
Currently we have implemented Microsoft recommended block rules and noticed it is blocking a lot of application dlls. The blocked dll is frhook.dll.
Our initial thoughts would be that these dlls would be included within the microsoft allowed dll's, however I think that might not be the case. Does anyone know what is within the list of allowed DLLs within the Microsoft block rules?
An example from the code integrity logs is:
Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\FRHook.dll that did not meet the Windows signing level requirements.
Reference: DLL rules in AppLocker (Windows) - Windows security | Microsoft Learn
Nov 07 2022 01:26 AM - edited Nov 07 2022 01:27 AM
To be sure... are you using device guard or applocker... as that error that did not meet the Windows signing level requirements sounds like device guard (code integrity) And by the looks of it... did you configured some additional logging
Enable Code Integrity Event Logging and System Auditing - Windows drivers | Microsoft Learn
Nov 14 2022 05:10 PM
Feb 28 2023 05:51 AM - edited Feb 28 2023 05:56 AM
Hi, the link you mentioned belongs to Applocker.
Microsoft recommended block rules are here:
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-co...
and I searched for the DLL file you mentioned and couldn't find it in there.
When using a 3rd party AV, I suggest turning on EDR in Microsoft Defender in Windows and set it to block mode:
More info about WDAC and its deployment methods: (you don't need Applocker when using WDAC as WDAC is superior and provides more protection)
https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction