The problem with the c:\Windows\assembly\Nativeimages seemed to be solved by update 424. These are Framework
Files Executables which are compiled in real time first usage. We have only seen that as example on Exchange CAS Servers before.
They time the first user logs onto OWA after an MSP Patch has that delay once. We had up to 6'000 Files per W7 client before that patch new
During March 2016 Patchday.
Rule 139 - Identify trusted DOT Net assemblies
This rule detects files that have CLR code (DOT Net) and have been installed into the global
Assembly cache folders. The files are present on multiple machines within the enterprise,
Indicating they are not just-in-time compiled assemblies.
Default State: Mandatory
Changes in this release
Changed how age and prevalence are handled in DOT Net validation algorithm
Also there is a heavy update for Ransomware detection.
Rule 240 - Identify suspicious files with characteristics that have been predominantly seen in
Identify suspicious files with characteristics that have been predominantly seen in
ransomware, are in uncommonly used locations and less than 7 days old
Default State: Evaluate