2 Replies Latest reply on Jul 18, 2013 10:46 AM by rmetzger

    Scanning .DLL files

      I have been asked to exclude many .DLL files from application folders.  Is this wise?

        • 1. Re: Scanning .DLL files
          Tristan

          Depends on what DLLs are to be excluded.

           

          For example if we were talking a range of in house compiled DLLs that belong to a companies internally developed application then you could class them as 'trusted' and exclude them.

           

          If you don't know where the DLLs have come from or are not from trusted sources then excluding might be unwise.

          • 2. Re: Scanning .DLL files
            rmetzger

            Hi Bob,

            rkokic wrote:

             

            I have been asked to exclude many .DLL files from application folders.  Is this wise?

            The short answer: No!

             

            The Long answer: H*!! No!

             

            What applications are you requested to Exclude and Why?

             

            Exclusions should be Extremely Rare and for Well Documented reasons.

             

            .Dll files are executable libraries with multiple entry points, each with different attack vectors that need defending.

             

            A much better solution would be to implement High/Low Risk Processes. If you had an application internally written, which is critical to your busines, you could define this as a low risk process (the process starts with the .exe when launched). When a .dll is called from that .exe, the low risk process would be more 'forgiving' to the .dll calls. If some other .exe tries to use the .dll files, it is given more scrutiny.

             

            See vse_880_best_practices_guide.pdf for more info on exclusions and high/default/low risk processes.

             

            Infections often are allowed to occur due to well-meaning exclusions. It has been my experience that the exclusions were not necessary, in most cases.

             

            Just my humble opinion.

             

            Ron Metzger