Trusted Application DLL Protection

Privilege Management for Windows can dynamically evaluate DLLs for trusted applications for each Workstyle. The first Workstyle to have DLL Control Enabled or Disabled causes any configuration of DLL Control in subsequent Workstyles to be ignored.

Unless a DLL has a trusted publisher and a trusted owner, it is not allowed to run within the TAP application.

Trusted Publisher: A trusted publisher must be signed. In addition, the publisher certificate must be valid, in date and not revoked.

Trusted Owner: A trusted owner is any owner that is in the default Windows groups Administrators, SystemUser, or TrustedInstaller.

TAP DLL control affects the following applications:

  • Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, Adobe Reader 11 and lower, Adobe Reader DC, Microsoft Outlook, Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Microsoft Edge

You can turn on the monitoring of DLLs for TAP applications in any Workstyle. However, the first Workstyle to have DLL Control Enabled or Disabled causes any configuration of DLL Control in subsequent Workstyles to be ignored.

Configure Trusted Application DLL Protection

Click Trusted Application DLL Protection enabled, click to Configure to administer how DLLs are handled for TAP applications.

Option Description
Trusted Application Protection (DLL)

Select Enabled, Disabled, or Not Configured from the dropdown. The first Workstyle to be evaluated that has DLL Control Enabled or Disabled is matched by Privilege Management for Windows, meaning subsequent Workstyles are not evaluated by Privilege Management for Windows.

Action Select from Passive (No Change) or Block Execution. This is what will happen if the DLL in the TAP application tries to run.
End User Message Select if a message will be displayed to the user when the DLL tries to run (regardless of it's allowed to run). We recommend using Messages if you're blocking a DLL from running so the end user has some feedback.
Auditing
Raise an Event Whether or not you want an event to be raised if the TAP application tries to run a DLL. This will forward to the local event log file.
Trellix ePO Reporting Options

ePO Threat Events

Select this option to raise an ePO Threat event. These are separate from Privilege Management Reporting events.
Privilege Management Reporting Select this option to raise a Privilege Management Reporting event. These are available in Privilege Management Reporting in BeyondInsight.
Exclusions
Exclude DLLs from Rule Enter DLLs here that you want to exclude from DLL Control for TAP Applications. These are DLLs that have either an untrusted owner or an untrusted publisher, but you still want to be allowed to run with DLL Control for TAP enabled in the Workstyle. This list of DLLs is not validated. If the DLL name listed isn't matched by the client then nothing will be excluded.

Third party applications may give error messages that aren't immediately clear to the end user when a DLL is blocked from running in a TAP application by Privilege Management for Windows.

After you change the policy, click Submit and then Save to save the policy. In ePO 5.10 and later, if you have Trellix Approvals workflow enabled, this workflow can be modified to change the Save button to Submit for Review based on user permissions.