WDAC and Microsoft.Build.dll
Hello,
We are using the wdac in audit mode together with the "Microsoft Windows Recommended User Mode BlockList" to prevent bypasses to the policy. On the "Microsoft Windows Recommended User Mode BlockList" stands the Microsoft.Buil.dll.
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
In the last weeks we saw a lot of auditing events caused by this .dll and the .NET optimization service mscorsvw.exe
I think this events are caused by windows updates. So how should we handle incidents like this? Remove the microsoft.build.dll from the blocklist?