Scanning and blocking mode

When scanning or blocking executables, DriveLock checks the file as the Windows operating system loads it into memory. Based on the results of the scan and the rules configured in the DriveLock policy, DriveLock will allow or deny program execution.

Basically, scanning/blocking DLLs works the same way. When programs load DLLs, all of them are checked as they load.

If you plan to enable Application Control in whitelist mode including DLLs, you must make sure that you do not block any DLLs that are required for your system to function fully.

Note that Windows installs numerous DLLs that are not identified as part of the operating system or the .NET Framework. Also, not all of these DLLs are installed in the Windows system directory and some do not have a ("valid") Microsoft signature. This is why none of the special rules cover such DLLs.

Example:

Some versions of Windows come with Microsoft OneDrive installed as a standard feature. OneDrive is installed in the user profile and is not part of the operating system. However, the Windows Explorer reloads OneDrive DLLs. Windows Explorer will quit if these DLLs are not whitelisted in your rules.

Best practice:

We recommend that you enable predictive whitelisting or local whitelisting before you enable DLL blocking. In any case, we recommend starting in simulation mode and evaluating the application control events to whitelist all DLLs required by the system.