AppLocker: open folders

View previous topic View next topic Go down

AppLocker: open folders

Post by Ruhe on 15/6/2010, 22:26

Even with AppLocker enabled there are some folders that are open for all users.

To get a list of open folders, checked this with a self-written quick&dirty AutoIt script for the folders %windir% and %ProgramFiles%.
The script was executed with my currently used Windows 7 account ("unelevated admin").

The creation of a test file was possible in the following folders:

C:\Windows\debug\WIA
C:\Windows\Registration\CRMLog
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
C:\Windows\System32\com\dmp
C:\Windows\System32\FxsTmp
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\Tasks
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing
The file could be created in the following folders, but the file deletion in it did not work(?):

C:\Windows\System32\com\dmp
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\Tasks
C:\Windows\Temp
C:\Windows\tracing
If someone is interested in the script...
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by ssj100 on 16/6/2010, 02:56

I pretty much agree with this now:
http://www.wilderssecurity.com/showpost.php?p=1679077&postcount=7

So that's exactly the same as your list, except there are presumably some 64-bit folders you don't have. As to file deletion not being possible? Not sure about that. File deletion (and pretty much everything) should be possible if you have admin rights.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: AppLocker: open folders

Post by wat0114 on 16/6/2010, 05:45

Ruhe wrote:
The creation of a test file was possible in the following folders:

Okay, but can you launch the test file?

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by ssj100 on 16/6/2010, 06:11

wat0114 wrote:
Ruhe wrote:
The creation of a test file was possible in the following folders:

Okay, but can you launch the test file?

Yes execution is possible in all those folders. I tested it myself (after some confusion!).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: AppLocker: open folders

Post by wat0114 on 16/6/2010, 06:26



Yes execution is possible in all those folders. I tested it myself (after some confusion!).

Sorry, what I mean is it possible with proper Applocker rules in place, whether they be MrBrian's method or Autogenerated? I don't think it is possible.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by ssj100 on 16/6/2010, 06:28

wat0114 wrote:


Yes execution is possible in all those folders. I tested it myself (after some confusion!).

Sorry, what I mean is it possible with proper Applocker rules in place, whether they be MrBrian's method or Autogenerated? I don't think it is possible.

It is possible with MrBrian's method. Remember that you can execute anything from C:\Program Files. This is why you'd add the exclusions in AppLocker to deny execution from those folders listed above.

With auto-generated rules, it's a different story and you wouldn't need to add those exclusions. They may be able to write to those folders, but they won't be able to execute (since it's not in the white-list rules).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: AppLocker: open folders

Post by wat0114 on 16/6/2010, 06:44

ssj100 wrote:
It is possible with MrBrian's method. Remember that you can execute anything from C:\Program Files. This is why you'd add the exclusions in AppLocker to deny execution from those folders listed above.

With auto-generated rules, it's a different story and you wouldn't need to add those exclusions. They may be able to write to those folders, but they won't be able to execute (since it's not in the white-list rules).

Right, which is why I like the Autogenerate method better. It virtually eliminates the chance of missing a key directory such as with MrBrian's method, although I doubt he nor anyone with his technical merit and sound approach to computer security would miss anything.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by ssj100 on 16/6/2010, 06:59

wat0114 wrote:
ssj100 wrote:
It is possible with MrBrian's method. Remember that you can execute anything from C:\Program Files. This is why you'd add the exclusions in AppLocker to deny execution from those folders listed above.

With auto-generated rules, it's a different story and you wouldn't need to add those exclusions. They may be able to write to those folders, but they won't be able to execute (since it's not in the white-list rules).

Right, which is why I like the Autogenerate method better. It virtually eliminates the chance of missing a key directory such as with MrBrian's method, although I doubt he nor anyone with his technical merit and sound approach to computer security would miss anything.

Yes I agree. I'm still happily running Windows XP, but when I eventually move to Windows 7, I think I will most likely employ your method of auto-generating. However, I can see some problems with it:
1. Install new application
2. Auto-generate rules again in C:\Program Files and C:\Windows and theoretically risk white-listing a piece of malware
3. Or auto-generate rules in specific folders that will allow the newly installed program to run...but what if you missed something? What if the program installed an executable or driver somewhere else in C:\Program Files or C:\Windows - it would not be easy to find?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: AppLocker: open folders

Post by Ruhe on 16/6/2010, 11:54

ssj100 wrote:I pretty much agree with this now:
http://www.wilderssecurity.com/showpost.php?p=1679077&postcount=7

So that's exactly the same as your list, except there are presumably some 64-bit folders you don't have.
Yeah, I'm running 32bit, and I know the thread in Wilders. The tool now offers me a way to find it out myself.

As to file deletion not being possible? Not sure about that. File deletion (and pretty much everything) should be possible if you have admin rights.
Currently AppLocker is not active here. I can write to the folders but can't delete my test files later. I had to start a file manager (Total Commander) with full admin rights to remove them.
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by Ruhe on 16/6/2010, 13:18

By the way, for AppLocker there is a useful tip:

How To Trigger An Action Automatically When Something Goes Wrong in Windows 7

After enabling this for the events 8004 (EXE/DLL) and 8007 (MSI/Script) you will get a user defined message like "AppLocker_EXE_DLL_8004" or "AppLocker_MSI_Script_8007". Now you know that there is something that was blocked by AppLocker - the blocked application is logged in the Windows Event Viewer.
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by wat0114 on 22/6/2010, 01:53

Ruhe, this is excellent! Thanks for this. By default it triggers for the Administrator account only, but I want it to trigger for limited ones as well, so I went to the Task Scheduler, highlighted task, Properties, Security options, change user or group and changed to BUILTIN\Everyone Smile

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by Ruhe on 22/6/2010, 22:12

How do you handle the above open folders (within AppLocker)?
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by wat0114 on 23/6/2010, 03:17

Ruhe wrote:How do you handle the above open folders (within AppLocker)?

Mostly with Autogenerate option, but I've had to create a few custom rules based on some blocks of legit executables that were nicely revealed in the Event viewer, including a few within the %System32% directory and a few under some of the user's AppData directories. I am careful to only initially Autogenerate under the %PROGRAMFILES% directories (Program files & Program files (x86) ) on a new install of Windows 7x64 with the majority of the applications installed. After that, I simply update the ruleset as I add more programs or the file hash changes for rules that use the file hash rule type. Always the Publisher type is preferred, followed by hash, then by path, as necessary. All rules are whitelist types, so any executable not included anywhere in the rules that attempts to launch is default denied, even if it tries to launch from one of the folders you've listed.


Last edited by wat0114 on 23/6/2010, 03:48; edited 1 time in total

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by ssj100 on 23/6/2010, 03:39

wat0114, when you say you had to create a few custom rules, are you saying you had to allow executable code from outside of C:\Program Files and C:\Windows?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: AppLocker: open folders

Post by wat0114 on 23/6/2010, 03:47

Yes, not many and all legit executables of course. I wish I could post attachments Smile However, one example is a Path rule for Mark Rusinovich's Process Explorer as follows: %OSDRIVE\Users\ .\AppData\Local\Temp\PROCEXP64.exe This allows all users to launch it in place of Task Manager.


wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by ssj100 on 23/6/2010, 03:54

I see, you'd need to add those rules regardless of whether you used MrBrian's method or yours anyway.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: AppLocker: open folders

Post by wat0114 on 23/6/2010, 04:05

That is correct. It's just a matter of getting a base ruleset created, then adding legit apps that are found to be blocked under Event Viewer-Applications and Services Logs-Microsoft-Windows-Applocker.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by Ruhe on 23/6/2010, 13:21

And you have to allow execution in the container folder of Sandboxie if you install (and later execute) software sandboxed.
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by wat0114 on 24/6/2010, 04:54

Ruhe wrote:And you have to allow execution in the container folder of Sandboxie if you install (and later execute) software sandboxed.

Okay I see. I've never used Sandboxie with Applocker, only with SRP

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: AppLocker: open folders

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum