<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic DLP (DataPatrol) signed DLL injection into Word blocked by agent — permanent exception? in General Topics</title>
    <link>https://live.paloaltonetworks.com/t5/general-topics/dlp-datapatrol-signed-dll-injection-into-word-blocked-by-agent/m-p/1257867#M126678</link>
    <description>&lt;P&gt;Our DLP watermarks documents by injecting a &lt;STRONG&gt;signed&lt;/STRONG&gt; DLL into &lt;CODE&gt;WINWORD.EXE&lt;/CODE&gt; on print. The Cortex agent blocks the injection — page prints with no watermark, DLL never loads. Works fine with the agent removed. Persists in Report mode, generates &lt;STRONG&gt;no alert/prevention event&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;Tried a &lt;STRONG&gt;Disable Prevention rule&lt;/STRONG&gt; (signer + thumbprint, all modules, global) — no effect, so it's not a prevention module. A &lt;STRONG&gt;Disable Injection &amp;amp; Prevention rule&lt;/STRONG&gt; works but is time-limited and process-wide.&lt;/P&gt;
&lt;P&gt;Has anyone made a &lt;STRONG&gt;permanent, signer-scoped&lt;/STRONG&gt; exception so a trusted signer can inject into a protected process (Office) — without disabling injection protection for Word entirely? Which module actually enforces this? Thanks.&lt;/P&gt;</description>
    <pubDate>Wed, 01 Jul 2026 10:24:13 GMT</pubDate>
    <dc:creator>H.Eldessouki</dc:creator>
    <dc:date>2026-07-01T10:24:13Z</dc:date>
    <item>
      <title>DLP (DataPatrol) signed DLL injection into Word blocked by agent — permanent exception?</title>
      <link>https://live.paloaltonetworks.com/t5/general-topics/dlp-datapatrol-signed-dll-injection-into-word-blocked-by-agent/m-p/1257867#M126678</link>
      <description>&lt;P&gt;Our DLP watermarks documents by injecting a &lt;STRONG&gt;signed&lt;/STRONG&gt; DLL into &lt;CODE&gt;WINWORD.EXE&lt;/CODE&gt; on print. The Cortex agent blocks the injection — page prints with no watermark, DLL never loads. Works fine with the agent removed. Persists in Report mode, generates &lt;STRONG&gt;no alert/prevention event&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;Tried a &lt;STRONG&gt;Disable Prevention rule&lt;/STRONG&gt; (signer + thumbprint, all modules, global) — no effect, so it's not a prevention module. A &lt;STRONG&gt;Disable Injection &amp;amp; Prevention rule&lt;/STRONG&gt; works but is time-limited and process-wide.&lt;/P&gt;
&lt;P&gt;Has anyone made a &lt;STRONG&gt;permanent, signer-scoped&lt;/STRONG&gt; exception so a trusted signer can inject into a protected process (Office) — without disabling injection protection for Word entirely? Which module actually enforces this? Thanks.&lt;/P&gt;</description>
      <pubDate>Wed, 01 Jul 2026 10:24:13 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/general-topics/dlp-datapatrol-signed-dll-injection-into-word-blocked-by-agent/m-p/1257867#M126678</guid>
      <dc:creator>H.Eldessouki</dc:creator>
      <dc:date>2026-07-01T10:24:13Z</dc:date>
    </item>
  </channel>
</rss>

