WDAC and Microsoft.Build.dll

David Rechtenbach 46 Reputation points
2024-01-11T09:47:29.6933333+00:00

Hello, We are using the wdac in audit mode together with the "Microsoft Windows Recommended User Mode BlockList" to prevent bypasses to the policy. On the "Microsoft Windows Recommended User Mode BlockList" stands the Microsoft.Buil.dll. <Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" /> In the last weeks we saw a lot of auditing events caused by this .dll and the .NET optimization service mscorsvw.exe User's image

I think this events are caused by windows updates. So how should we handle incidents like this? Remove the microsoft.build.dll from the blocklist?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
12,051 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
3,001 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
10,706 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.