Adding and testing a rule that blocks a DLL
You may want to prevent the user from opening a specific application. One way to block a user from opening an application is to block a DLL that the application uses to run. To block the DLL, you can create a rule that blocks the DLL from loading. When the user tries to open the application, they cannot.
For example, the Msvcrt.dll file contains the program code that is used to run various Windows applications such as Microsoft WordPad. If you add a rule that blocks Msvcrt.dll on the client computer, you cannot open Microsoft WordPad
Some applications that are written to be "security conscious” may interpret the DLL injection as a malicious act. Take counter measures to block the injection or remove the DLL.
- To add and test a rule that blocks a DLL
- To add a rule that blocks a DLL, open an Application Control policy, and on theApplication Controlpane, clickAdd.
- In theApplication Control Rule Setdialog box, under theRuleslist, clickAdd > Add Rule.
- On thePropertiestab, in theRule nametext box, typeBlock user from opening Microsoft WordPad.
- To the right ofApply this rule to the following processes, clickAdd.
- In theAdd Process Definitiondialog box, underProcesses name to match, typeC:\Program Files\Windows NT\Accessories\wordpad.exe, and then clickOK.
- In theApplication Control Rule Setdialog box, under theRuleslist, clickAdd > Add Condition > Load DLL Attempts.
- On thePropertiestab, in theDescriptiontext box, typedll blocked.
- To the right ofApply to the following DLLs, clickAdd.
- In theAdd DLL Definitiondialog box, in the text box in theDLL name to matchgroup box, typeMSVCRT.dll, and then clickOK.
- In theApplication Control Rule Setdialog box, on theActionstab, clickBlock access,Enable logging, andNotify user.
- UnderNotify user, typeShould not be able to load WordPad.
- ClickOKtwice and assign the policy to the client computer group.Test the rule.
- To test a rule that blocks a DLL, on the client computer, try to open Microsoft WordPad.