Trusted Application DLL Protection
Endpoint Privilege Management for Windows can dynamically evaluate DLLs for trusted applications for each Workstyle. The first Workstyle to have DLL Control Enabled or Disabled causes any configuration of DLL Control in subsequent Workstyles to be ignored.
Unless a DLL has a trusted publisher and a trusted owner, it is not allowed to run within the Trusted Application Protection (TAP) application.
- Trusted Publisher: A trusted publisher must be signed. In addition, the publisher certificate must be valid, in date, and not revoked.
- Trusted Owner: A trusted owner is any owner that is in the default Windows groups Administrators, SystemUser, or TrustedInstaller.
TAP DLL control affects the following applications:
- Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, Adobe Reader 11 and earlier, Adobe Reader DC, Microsoft Outlook, Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Microsoft Edge
You can turn on the monitoring of DLLs for TAP applications in any Workstyle. However, the first Workstyle to have DLL Control Enabled or Disabled causes any configuration of DLL Control in subsequent Workstyles to be ignored.
Configure Trusted Application DLL Protection
Click Trusted Application DLL Protection enabled, click to Configure to administer how DLLs are handled for TAP applications.
| Option | Description |
|---|---|
| Trusted Application Protection (DLL) | Select Enabled, Disabled, or Not Configured from the dropdown list. The first Workstyle to be evaluated that has DLL Control Enabled or Disabled is matched by Endpoint Privilege Management for Windows, meaning subsequent Workstyles are not evaluated by Endpoint Privilege Management for Windows. |
| Action | Select from Passive (No Change) or Block Execution. This is what happens if the DLL in the TAP application tries to run. |
| End User Message | Select if a message will be displayed to the user when the DLL tries to run (regardless of it's allowed to run). We recommend using messages if you're blocking a DLL from running, so the end user has some feedback. |
| Auditing | |
| Raise an Event | Whether or not you want an event to be raised if the TAP application tries to run a DLL. This forwards to the local event log file. |
| McAfee ePO Reporting Options | |
|
ePO Threat Events |
Select this option to raise an ePO threat event. These are separate from Endpoint Privilege Management reporting events. |
| Endpoint Privilege Management Reporting Events | Select this option to raise an Endpoint Privilege Management reporting event. These are available in BeyondTrust Endpoint Privilege Management Reporting. |
| Exclusions | |
| Exclude DLLs from Rule | Enter DLLs here that you want to exclude from DLL Control for TAP Applications. These are DLLs that have either an untrusted owner or an untrusted publisher, but you still want to be allowed to run with DLL Control for TAP enabled in the Workstyle. This list of DLLs is not validated. If the DLL name listed isn't matched by the client, then nothing is excluded. |
Third party applications may give error messages that aren't immediately clear to the end user when a DLL is blocked from running in a TAP application by Endpoint Privilege Management for Windows.
