Thanks for the information Klaus! I will ensure that the Program Files and Windows folders are included.
That's very interesting that you experienced blocked files that were not listed in the Event Viewer with SRP. I haven't noticed this problem with AppLocker with the EXE/MSI/Script rules, so perhaps Microsoft fixed this in AppLocker (or I just haven't noticed this). It sounds like since no one has complained/noticed the performance difference, that perhaps this isn't as bad as I imagined - that's good to know. Thanks, -Aakash Shah -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Klaus Hartnegg Sent: Wednesday, July 12, 2017 6:10 AM To: [email protected] Subject: Re: [NTSysADM] Enabling DLL Rules In AppLocker - Any Real-World Advice? Am 10.07.2017 um 22:00 schrieb Aakash Shah: > Hello! Has anyone enabled and enforced DLL rules in your environment? > I am considering enabling DLL rules for a new round of deployments with > the default AppLocker DLL ruleset We enforce DLL rules with Software Restriction Policies, and needed a few more entries in the whitelist. First surprisingly these C:\Windows C:\Program Files which are usually covered by default entries like %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% but some drivers fail to load their DLLs when these entries are missing. And this one C:\ProgramData\Sophos otherwise Sophos Antivirus breaks DNS resolving. Unfortunately these were *not* all logged in event viewer, and thus hard to find. We have not checked for speed difference.
