Adding and testing a rule that blocks a DLL

You may want to prevent the user from opening a specific application. One way to block a user from opening an application is to block a DLL that the application uses to run. To block the DLL, you can create a rule that blocks the DLL from loading. When the user tries to open the application, they cannot.
For example, the Msvcrt.dll file contains the program code that is used to run various Windows applications such as Microsoft WordPad. If you add a rule that blocks Msvcrt.dll on the client computer, you cannot open Microsoft WordPad
Some applications that are written to be "security conscious” may interpret the DLL injection as a malicious act. Take counter measures to block the injection or remove the DLL.
  1. To add and test a rule that blocks a DLL
  2. To add a rule that blocks a DLL, open an Application Control policy, and on the
    Application Control
    pane, click
    Add
    .
  3. In the
    Application Control Rule Set
    dialog box, under the
    Rules
    list, click
    Add > Add Rule
    .
  4. On the
    Properties
    tab, in the
    Rule name
    text box, type
    Block user from opening Microsoft WordPad
    .
  5. To the right of
    Apply this rule to the following processes
    , click
    Add
    .
  6. In the
    Add Process Definition
    dialog box, under
    Processes name to match
    , type
    C:\Program Files\Windows NT\Accessories\wordpad.exe
    , and then click
    OK
    .
  7. In the
    Application Control Rule Set
    dialog box, under the
    Rules
    list, click
    Add > Add Condition > Load DLL Attempts
    .
  8. On the
    Properties
    tab, in the
    Description
    text box, type
    dll blocked
    .
  9. To the right of
    Apply to the following DLLs
    , click
    Add
    .
  10. In the
    Add DLL Definition
    dialog box, in the text box in the
    DLL name to match
    group box, type
    MSVCRT.dll
    , and then click
    OK
    .
  11. In the
    Application Control Rule Set
    dialog box, on the
    Actions
    tab, click
    Block access
    ,
    Enable logging
    , and
    Notify user
    .
  12. Under
    Notify user
    , type
    Should not be able to load WordPad
    .
  13. Click
    OK
    twice and assign the policy to the client computer group.
    Test the rule.
  14. To test a rule that blocks a DLL, on the client computer, try to open Microsoft WordPad.