This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SWBW_Florian
Contributor
‎2025-04-10 12:25 AM

EFR Service monitoring variable DLL files

hey,

our ERP System is creating temporary DLL files in users TEMP directory while navigating to an printpreview window of any datasheet.

this DLL file (temporary, name by coincidence) is watched by EFRService. I can see the monitoring through resmon.exe

unfortunately, sometimes the exclusive access during monitoring takes too much time, so the ERP application cant access the file as it wants to. Its not trying it again, so it fails. if the user is retrying the print-process it works usually.

i need to exclude those files from monitoring. But i dont know how. They are not signed by any certificate and do have flexible names while they are saved in users TEMP directory

how could i manage this?

 

Thanks for any hint

regards

Florian

regards
0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2025-04-10 05:20 AM

Generating random DLL files in a temp directory and they’re not signed?
Not sure you can do that without excluding the temp directory (which is probably a bad idea).

0 Kudos
SWBW_Florian
Contributor
‎2025-04-10 10:46 PM
In response to PhoneBoy

yes, thats how microsoft is working, obviously ... 

we wont exclude the whole TEMP folder. That behaviour is shown on *all* Office PCs ... 

there must be a workaround, right?

regards
0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-11 01:28 PM
In response to SWBW_Florian

TAC might have something, but without a unique way to identify those files, I suspect you're in RFE territory.

Having said that, the behavior of that ERM product seems like a potential security vulnerability that should be reported to the vendor.

0 Kudos
tomgo
Employee
Employee
‎2025-04-13 11:46 PM

Did you try using version 88.62 / 88.70?

 

0 Kudos
SWBW_Florian
Contributor
‎2025-04-22 02:37 AM
In response to tomgo

i have installed 88.32 

but thats more a job at the management engine, right?

regards
0 Kudos
Maxh
Participant
‎2025-04-24 02:59 AM

I have the same issue with Microsoft Dynamics NAV. Did you find a solution?

Endpoint Version: E88.62

0 Kudos
SWBW_Florian
Contributor
‎2025-04-24 04:28 AM
In response to Maxh

unfortunately not. We still have the same issues

regards
0 Kudos
lluner
Advisor
‎2025-04-24 09:28 AM

@SWBW_Florian 

Have you tried doing the exclusions in the forensic blade?

---------------------------------- 

Files can excluded from quarantine by these criteria: Certificate, File path, Folder path, MD5 hash, SHA1 hash and File extension.
File and Folder paths can contain wildcards (*).
File and Folder paths cannot contain environment variables.
For example:
C:\Program Files\MyTrustedDirectory\excludeMe.exe
C:\Program Files\MyTrustedDirectory\*.exe
0 Kudos
SWBW_Florian
Contributor
‎2025-05-08 12:48 AM
In response to lluner

hy

 

yes, i tried it like this:

 

%UserProfile%\AppData\Local\Temp\fileprefix_*

regards
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events