4 Replies Latest reply on Nov 3, 2015 3:55 AM by ricdue

    How to whitelist dynamic dlls used by Word

    ricdue

      Hi,

       

      I hope someone can help me.

       

      I want to allow Word file access to specific dlls, but the problem is that they seem to be dynamically generated.

       

      The dlls are used/created by something called ProQuest for Word, which is some kind of add-on/extension for Word. After this was installed on the users machine, MAC started blocking file access repeatedly to dll’s starting with proxy_vole, but with different numbers following it. 

       

      For example proxy_vole6513544225070924898.dll or proxy_vole5491073914121433542.dll.

       

      I want to know, how I via McAfee ePO can allow winword.exe file access to all the different variations of proxy_vole, where it seems that there is regularly generated new dll’s with new numbers.

       

      Thank you in advance.

        • 1. Re: How to whitelist dynamic dlls used by Word
          aus_mick

          Are you seeing any Policy Discovery requests or WRITE_DENIED / EXECUTION_DENIED events reported to the ePO or even in the local system Windows Event Viewer? Is it the winword.exe process that is creating these DLL's or a ProQuest binary? You could potentially add either binary as a Trusted Updater, but in the case of winword.exe I'd use this judiciously as I believe it could potentially expose your system to unauthorised code (i.e. malicious macro functions) from being able to dynamically affect changes to the Solidcore whitelist and allowed to execute.

           

          HTH, Mick

          • 2. Re: How to whitelist dynamic dlls used by Word
            ricdue

            Hi Mick

             

            • Are you seeing any Policy Discovery requests or WRITE_DENIED / EXECUTION_DENIED events reported to the ePO or even in the local system Windows Event Viewer?
              • It doesn't show up in policy discovery. If I look at a machine with this problem it shows up in the threat events for that machine with the event category: "File Access Blocked", Threat name: "WRITE_DENIED" and Event description: "File Write Denied".
            • Is it the winword.exe process that is creating these DLL's or a ProQuest binary?
              • It is the WinWord.exe process that is creating the dlls. The ProQuest binary was added as a updater in solidcore rules and the user then installed Proquest for Word. Proquest for Word was then added to / installed unto Word as a addon or extension.
            • You could potentially add either binary as a Trusted Updater, but in the case of winword.exe I'd use this judiciously as I believe it could potentially expose your system to unauthorised code (i.e. malicious macro functions) from being able to dynamically affect changes to the Solidcore whitelist and allowed to execute.
              • I am hoping that there is some way to add an exception using something like "Process Context File Operations bypass" to exclude dlls of this format when run by the process WinWord. However, I am not sure how to do this, because the format of the dlls seems to be "proxy_vole[random string of number].dll".

             

            This is an example of the file path and process name:

            Threat Target Process Name: C:\Programmer\Microsoft Office\Office14\WINWORD.EXE

            Threat Target File Path: c:\documents and settings\%USERNAME%\lokale indstillinger\temp\proxy_vole6513544225070924898.dll

            • 3. Re: How to whitelist dynamic dlls used by Word

              ricdue, are these dlls signed by any chance?

              • 4. Re: How to whitelist dynamic dlls used by Word
                ricdue

                Sorry I took my time to reply. The dlls are not signed unfortunately. However I think that I may have found a filter that seems to solve the problem, but I am still interested if someone have a better/other solution.