Skip to main content
Version: 6.12.0

Library Loading

The purpose of the Library rule is to prevent a protected application from loading any library that it should not have access to or be allowed to execute, or (with whitelists) to restrict which libraries are allowed to be loaded or executed.

Overview

The method or attack that causes the protected application to attempt to load a specific library is irrelevant to this rule.  This rule only looks at, and potentially protects against, the end result of any such attack. This protection isn't specific to a CWE or other defined or limited attack.

Rule Options

Paths to Libraries

Here you enter in paths to libraries or lists specific libraries (no paths required) that the rule will apply to.  Generally speaking this can be applied in 2 different ways:

  • you can list a number of paths and/or libraries (no path required) that you wish to prevent from being executed, via the protect action, or
  • you can create a pair of rules where the first rule uses a path to protect (e.g. /usr/bin/*), and the second rule allows or whitelists specific libraries (via the Allow/Whitelist action) contained within that path, such as allowMe.lib

This way if there are 100 libraries in that directory and you wish to protect 98 of them, you do not have to create 98 rules or an unwieldy rule listing 98 libraries.  You can create 1 rule to protect against all of the libraries within a path, and create another rule to carve out the 2 that you want to allow to be executed.

In essence, the Allow/Whitelist option is allowing us to say “Protect all of these libraries” (wildcard protect rule)followed by “Except these” (allow rule) instead of saying “Protect this libraries” (standard rule, 98 times).

You can type paths or libraries into the text field and upon typing a comma, or hitting the Return/Enter key the entries will be accepted and converted to a pill object which can then be removed from the list by clicking on the pill's cross symbol (x).

Action

  • Detect - The Agent will detect the execution of listed libraries and generate Security Event which will be viewable on the Security Events pages in the Portal, but the Agent will take no further action.
  • Protect - In addition to the Detect actions, the Waratek Agent will also actively prevent the execution of the libraries or anything within the protected paths from succeeding.
  • Allow - Acts as whitelist, will supersede the Protect action by whitelisting libraries to be excluded from Protect actions.