Scanning or blocking DLLs also works in this way. When programs load DLLs, all of them are checked as they load.

If you plan to activate Application Control in whitelist mode including DLLs, you must ensure that you do not block any DLLs that are required for your system to function fully.

Note that Windows installs numerous DLLs that are not identified as part of the operating system or the .NET Framework. Also, not all of these DLLs are installed in the Windows system directory and some do not have a ("valid") Microsoft signature. This is why none of the special rules cover such DLLs.

Example:

Some versions of Windows come with Microsoft OneDrive installed as a standard feature. OneDrive is installed in the user profile and is not part of the operating system. However, the Windows Explorer reloads OneDrive DLLs. Windows Explorer will quit if these DLLs are not whitelisted in your rules.

Best practice:

We recommend that you enable predictive whitelisting or local whitelisting before you enable DLL blocking. In any case, you should start in simulation mode and evaluate the application control events in order to whitelist all DLLs required by the system.