cancel
Showing results for 
Search instead for 
Did you mean: 
ricdue
Level 7
Report Inappropriate Content
Message 1 of 5

How to whitelist dynamic dlls used by Word

Hi,

I hope someone can help me.

I want to allow Word file access to specific dlls, but the problem is that they seem to be dynamically generated.

The dlls are used/created by something called ProQuest for Word, which is some kind of add-on/extension for Word. After this was installed on the users machine, MAC started blocking file access repeatedly to dll’s starting with proxy_vole, but with different numbers following it. 

For example proxy_vole6513544225070924898.dll or proxy_vole5491073914121433542.dll.

I want to know, how I via McAfee ePO can allow winword.exe file access to all the different variations of proxy_vole, where it seems that there is regularly generated new dll’s with new numbers.

Thank you in advance.

4 Replies

Re: How to whitelist dynamic dlls used by Word

Are you seeing any Policy Discovery requests or WRITE_DENIED / EXECUTION_DENIED events reported to the ePO or even in the local system Windows Event Viewer? Is it the winword.exe process that is creating these DLL's or a ProQuest binary? You could potentially add either binary as a Trusted Updater, but in the case of winword.exe I'd use this judiciously as I believe it could potentially expose your system to unauthorised code (i.e. malicious macro functions) from being able to dynamically affect changes to the Solidcore whitelist and allowed to execute.

HTH, Mick

ricdue
Level 7
Report Inappropriate Content
Message 3 of 5

Re: How to whitelist dynamic dlls used by Word

Hi Mick

  • Are you seeing any Policy Discovery requests or WRITE_DENIED / EXECUTION_DENIED events reported to the ePO or even in the local system Windows Event Viewer?
    • It doesn't show up in policy discovery. If I look at a machine with this problem it shows up in the threat events for that machine with the event category: "File Access Blocked", Threat name: "WRITE_DENIED" and Event description: "File Write Denied".
  • Is it the winword.exe process that is creating these DLL's or a ProQuest binary?
    • It is the WinWord.exe process that is creating the dlls. The ProQuest binary was added as a updater in solidcore rules and the user then installed Proquest for Word. Proquest for Word was then added to / installed unto Word as a addon or extension.
  • You could potentially add either binary as a Trusted Updater, but in the case of winword.exe I'd use this judiciously as I believe it could potentially expose your system to unauthorised code (i.e. malicious macro functions) from being able to dynamically affect changes to the Solidcore whitelist and allowed to execute.
    • I am hoping that there is some way to add an exception using something like "Process Context File Operations bypass" to exclude dlls of this format when run by the process WinWord. However, I am not sure how to do this, because the format of the dlls seems to be "proxy_vole[random string of number].dll".

This is an example of the file path and process name:

Threat Target Process Name: C:\Programmer\Microsoft Office\Office14\WINWORD.EXE

Threat Target File Path: c:\documents and settings\%USERNAME%\lokale indstillinger\temp\proxy_vole6513544225070924898.dll

Highlighted
neelima
Level 12
Report Inappropriate Content
Message 4 of 5

Re: How to whitelist dynamic dlls used by Word

ricdue, are these dlls signed by any chance?

ricdue
Level 7
Report Inappropriate Content
Message 5 of 5

Re: How to whitelist dynamic dlls used by Word

Sorry I took my time to reply. The dlls are not signed unfortunately. However I think that I may have found a filter that seems to solve the problem, but I am still interested if someone have a better/other solution.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community