DLL File Protection

Traps now extends its malware protection capabilities to block malicious DLL files on Windows endpoints. To provide a layered approach to DLL protection, the new module evaluates both the loading process and the DLL file itself. By default, the DLL Files module prevents DLL-loading processes that are commonly used in a wide range of attack vectors from loading malicious DLL files. While Palo Alto Networks can add or modify the default list of DLL-loading processes protected by this module via content updates, you can also configure DLL protection for additional DLL-loading processes, as needed.
Like the existing WildFire modules which protect the endpoint from running malicious executable files and macros, the new DLL examination module evaluates a file in phases.
dll-files-eval-flow.png
When a user first tries to open a DLL file, Traps evaluates both the loading process and the DLL itself:
  • Loading process—Traps examines the DLL if it is loaded by a process configured in the DLL Files security policy. This policy protects Windows system processes (such as rundll32.exe) that attackers commonly use to load DLLs on the endpoint and can include any additional DLL-loading processes that you define.
  • DLL Files whitelist—Traps examines the DLL if it is not in the DLLs whitelist.
  • Trusted signer—Traps examines the DLL if it is not signed by a trusted signer.
When an unknown DLL meets the above criteria, Traps performs additional evaluation and handling actions depending on the configuration of your DLL Files policy. For unknown DLLs, Traps minimally queries the ESM for an official WildFire verdict for the DLL file. Traps can also submit the DLL file (which can have a maximum file size of 100MB) for in-depth analysis and use local analysis to issue a local verdict for unknown files.
To exempt a DLL filename or path from examination by this module (regardless of the loading process), you can add it to the DLL files whitelist. Because the whitelist is merged across all DLL Files rules, we recommend that you configure a separate rule for the express purpose of managing the DLL whitelist.

Configure DLL Files Rules (ESM 4.1.1 and Later Releases)

With ESM 4.1.1 and later releases, you configure general settings—such as how to analyze the DLLs on your endpoints and DLL files exempt from examination—in a general settings rule. You can then layer additional rules that apply only to specific processes on top of the general settings rules.
To configure additional DLL Files rules, use the following workflow:
  1. Verify that the ESM components are configured to communicate with WildFire.
  2. Configure a new WildFire rule to enable analysisofDLLfiles.
    1. Select PoliciesMalwareWildFire.
    2. From the action menu manage-hidden-menu-icon.png , select Add.
    3. Select DLL Files as the type of file to which you want to apply WildFire analysis.
  3. Choose the Rule Type, either General module settings to apply the rule to all processes, or Process-specific settings to apply the rule to select processes.
    The type of rule also determines the settings that you can configure. When you configure a General module settings rule, you configure the settings that apply to all DLL files. When you configure a process-specific rule, you can override the general settings for the Activation and Action mode for select processes. In process-specific rules, all other settings are not configurable.
    General DLL Settings Rule
    dll-files-protection-general-settings.PNG
    Process-Specific DLL Rule
    dll-files-protection-process-specific.PNG
  4. (Process-specific settings only) Configure the activation mode for this module on select processes, either On (default) to allow Traps to calculate and check hash verdicts for DLL files against its local cache of hashes or Off to disable the module for one or more processes.
    When you configure a General module settings rule, the ESM Console automatically sets the Activation to On. As a result, the activation option is not configurable for General module settings rules.
  5. Configure the Action—the behavior of Traps—when Traps identifies a malicious DLL.
    • Select Inherit to use the behavior defined by the default policy.
    • Select Prevention (default) to block the parent process trying to open the malicious DLL file and the DLL file itself.
    • Select Notification to allow the user to open the file, log the issue, and notify the user about the malicious DLL file.
    • Select Learning to allow the user to open a malicious DLL file and silently log the issue without notifying the user.
  6. Specify whether Traps will display User Alerts when a malicious DLL is detected, either On (default) to notify the user or Off to silently log the event.
  7. (Process-specific settings only) Specify the protected processes which trigger the DLL file examination (Activation is On). If you disabled activation (Activation is Off), specify the processes which are exempt from DLL examination.
    1. Click 3.1-add-folder-icon.png to add Protected Processes. The ESM Console provides autocompletion based on the processes on the Process Management page.
    2. Repeat this process to specify additional files.
  8. (General module settings only) Configure the WildFire analysis settings for DLL files:
    • Upload Files for WildFire Analysis—Set this value to On (default) to enable Traps to send unknown DLL files to the ESM, which sends the files to WildFire for analysis. Set this value to Off if you do not want to send files to WildFire for analysis.
    • Apply Malware Verdict on Grayware—Set this option to On to treat all grayware DLLs as malware. Otherwise, if this option is Off (default), grayware is considered benign and is not blocked.
    • Enable Local Analysis on Unknown Files—Set this option to On (default) to allow Traps to use statistical analysis to determine the nature of an unknown DLL. Set this value to Off if you do not want Traps to analyze a DLL. In prevention mode, Traps will block or allow unknown DLLs according to the unknown verdict configuration.
  9. (General module settings only) Configure the Traps behavior when a DLL file is unknown:
    • WildFire Verdict is Unavailable—Set this option to Allow Unknowns (default) or Block Unknowns when the file is unknown in the local and server cache.
      If local analysis is enabled, Traps always returns a verdict for an unknown DLL file. Therefore, configuring this option only applies to agents for which local analysis is not enabled.
    • ESM Unreachable—Set this option to Allow Unknowns (default) or Block Unknowns when Traps cannot reach the ESM Server to query for a verdict or submit the file for analysis.
  10. (Optional) Add Conditions to the rule. By default, a new rule does not contain any conditions.
  11. (Optional) Define the Target Objects to which to apply the rule. By default, a new rule applies to all objects in your organization.
  12. (Optional) Review the rule name and description. The ESM Console automatically generates the rule name and description based on the rule details but permits you to change these fields, if needed.
  13. Save the rule without activating it or Apply the rule to activate it immediately.
  14. After you configure DLL file protection, you can perform any of the following actions:
    • Although the agent automatically requests the latest security policy at the next heartbeat communication with the ESM Server, you can use the Check In Now option from the Traps console to force an immediate check-in. To verify that the agent received the rule, select AdvancedPolicy and review the recent rules.
    • View all security events related to DLLs on the Security Events pages (PreventionsWildFire/Hash Control or NotificationsWildFire/Hash Control.
    • View all analyzed DLLs on the PoliciesMalwareHash Control page.
      To display only verdicts for DLL files, use the search conditions to set File Type: Is: DLL.

Configure DLL Files Rules (ESM 4.1.0)

To configure additional DLL Files rules, use the following workflow:
  1. Verify that the ESM components are configured to communicate with WildFire.
  2. Configure a new WildFire rule to enable analysisofDLLfiles.
    1. Select PoliciesMalwareWildFire.
    2. From the action menu manage-hidden-menu-icon.png , select Add.
    3. Select DLL Files as the type of file to which you want to apply WildFire analysis.
    dll-files-protection.png
  3. Configure the activation mode for this module, either On (default) to allow Traps to calculate and check hash verdicts for DLL files against its local cache of hashes or Off to disable the module for one or more processes.
  4. Configure the Action—the behavior of Traps—when Traps identifies a malicious DLL.
    • Select Inherit to use the behavior defined by the default policy.
    • Select Prevention (default) to block the parent process trying to open the malicious DLL file and the DLL file itself.
    • Select Notification to allow the user to open the file, log the issue, and notify the user about the malicious DLL file.
    • Select Learning to allow the user to open a malicious DLL file and silently log the issue without notifying the user.
  5. Specify whether Traps will display User Alerts when a malicious DLL is detected, either On (default) to notify the user or Off to silently log the event.
  6. Specify the processes which trigger the DLL file examination (Activation is On). If you disabled activation (Activation is Off), specify the processes which are exempt from DLL examination.
    1. Click 3.1-add-folder-icon.png to add Protected Processes. The ESM Console provides autocompletion based on the processes on the Process Management page.
    2. Repeat this process to specify additional files.
  7. Configure the WildFire analysis settings for DLL files:
    • Upload Files for WildFire Analysis—Set this value to On (default) to enable Traps to send unknown DLL files to the ESM, which sends the files to WildFire for analysis. Set this value to Off if you do not want to send files to WildFire for analysis.
    • Apply Malware Verdict on Grayware—Set this option to On to treat all grayware DLLs as malware. Otherwise, if this option is Off (default), grayware is considered benign and is not blocked.
    • Enable Local Analysis on Unknown Files—Set this option to On (default) to allow Traps to use statistical analysis to determine the nature of an unknown DLL. Set this value to Off if you do not want Traps to analyze a DLL. In prevention mode, Traps will block or allow unknown DLLs according to the unknown verdict configuration.
  8. Configure the Traps behavior when a DLL file is unknown:
    • WildFire Verdict is Unavailable—Set this option to Allow Unknowns (default) or Block Unknowns when the file is unknown in the local and server cache.
      If local analysis is enabled, Traps always returns a verdict for an unknown DLL file. Therefore, configuring this option only applies to agents for which local analysis is not enabled.
    • ESM Unreachable—Set this option to Allow Unknowns (default) or Block Unknowns when Traps cannot reach the ESM Server to query for a verdict or submit the file for analysis.
  9. (Optional) Add Conditions to the rule. By default, a new rule does not contain any conditions.
  10. (Optional) Define the Target Objects to which to apply the rule. By default, a new rule applies to all objects in your organization.
  11. (Optional) Review the rule name and description. The ESM Console automatically generates the rule name and description based on the rule details but permits you to change these fields, if needed.
  12. Save the rule without activating it or Apply the rule to activate it immediately.
  13. After you configure DLL file protection, you can perform any of the following actions:
    • Although the agent automatically requests the latest security policy at the next heartbeat communication with the ESM Server, you can use the Check In Now option from the Traps console to force an immediate check-in. To verify that the agent received the rule, select AdvancedPolicy and review the recent rules.
    • View all security events related to DLLs on the Security Events pages (PreventionsWildFire/Hash Control or NotificationsWildFire/Hash Control.
    • View all analyzed DLLs on the PoliciesMalwareHash Control page.
      To display only verdicts for DLL files, use the search conditions to set File Type: Is: DLL.

Whitelist a DLL File

Whitelisting files can be useful if the associated hash value changes but the filename stays the same. If you do not expect the hash value associated with a DLL file to change and want to whitelist the file, we recommend that you instead configure an administrative hash override for the file.
The ESM maintains a single whitelist which contains the DLL files you whitelist across all DLL Files rules. The whitelist is distributed to the Traps agents with the security policy. When a whitelisted DLL attempts to run, Traps excludes the file from WildFire examination regardless of the loading (parent) process that tries to run it.
  1. Configure a DLL Files rule. In ESM 4.1.1 and later releases, you can define a whitelist in a DLL Files rule with a Rule Type of General module settings. See Configure DLL Files Rules (ESM 4.1.0) or Configure DLL Files Rules (ESM 4.1.1 and Later Releases).
  2. Modify a setting in the DLL Files rule.
    For example, set User Alert to On. This step is required to save a new user-defined rule.
  3. Add the file to the whitelist.
    1. Click 3.1-add-folder-icon.png to Whitelist DLLs.
    2. Add the Full Path to the DLL file. Traps will ignore DLL files at the specified paths.
      The whitelist also supports the same environment variables and wildcards that you can use in restriction rules. For example, to allow a file at path C:\temp\myfilename.dll to run, add the path to the whitelist. Or to allow myfilename.dll to run regardless of where myfilename.dll is stored, you can use wildcards to define the full path as *\myfilename.dll.
    3. Repeat this process to specify additional files.
    To apply the whitelist, you must activate (Apply) the rule. Until the rule which specifies the file is activated, the ESM Console identifies the file in plain text. After a rule containing the file is activated, the ESM Console identifies the file in bold. When you delete a file from a whitelist, the ESM Console identifies the file in strike-through font; however, after you apply the rule containing the deleted file, the ESM Console removes the file from the whitelist completely.
  4. Save the rule without activating it or Apply the rule to activate it immediately.

Related Documentation