I am quite new to Software Restriction Policies and currently experimenting with it. I am curious as to what is a tight configuration, which is why I thought it would be a good idea to share our individual configurations with one another, in hopes we can all learn something new. Like I said, I am quite new to Software Restriction Policies and am currently experimenting, but for those who have a little more experience in SRP than I do, I would love your feedback on my configuration. Does it look good, or could it use a little more tightening? My configuration (Windows 10 Pro x64): Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies Enforcement Select > All software files Select > All users except local administrators Select > Ignore certificate rules Designated File Types: Remove: LNK, URL Add: JSE, JAR, PS1, VBS, JS, SCT, VBE, WS, WSF, WSH Security Levels Disallowed - Software will not run, regardless of the access rights of the user. Additional Rules > New Path Rule... > Disallowed %UserProfile%\AppData\*.exe %UserProfile%\AppData\*\*.exe %UserProfile%\AppData\Local\Temp\Rar*\*.exe %UserProfile%\AppData\Local\Temp\7z*\*.exe %UserProfile%\AppData\Local\Temp\wz*\*.exe %UserProfile%\AppData\Local\Temp\*.zip\*.exe %UserProfile%\AppData\Local\Temp\*\*.exe %UserProfile%\AppData\Local\*.exe %UserProfile%\AppData\Local\*\*.exe %UserProfile%\AppData\Local\*.msi %UserProfile%\AppData\Local\*\*.msi Additional Rules Unrestricted by default %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Additional Rules > New Path Rule > Unrestricted C:\Program Files (x86)\
Here is my configuration: Security levels: Disallowed Enforcement: All software files except libraries; All users; Ignore certificate rules Designated file types: removed LNK; added JSE, PS1, SCT, VBE, VBS, WS, WSF, WSH Trusted publishers: disabled Additional rules: I also block 2 additional exe's using ACL (so that they don't fill up my log of blocked events): C:\Users\[User]\AppData\Roaming\uTorrent\updates\3.4.5_41865\utorrentie.exe C:\Users\[User]\AppData\Local\Google\Chrome\User Data\SwReporter\6.48.6\software_reporter_tool.exe I also created custom view for SRP blocked events and configure a task. This way I get message each time an action is blocked. More here: http://www.ghacks.net/2010/08/30/how-to-create-desktop-notifications-for-windows-events/
Interesting, I learned a few other thing's, thanks. Now, as for my question for you... Should I add "C:\Program Files" and "C:\Windows" as Unrestricted, considering that these default paths are already added? ... %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% I'm thinking not, but I figured I would ask anyways.
I've had problems with few apps that wouldn't run with default rules but would run with path rules. That's why always replace default rules with paths. You can leave default rules if you don't have any problems. * I can't seem to remember which software was not running with default rules
For those that use Chrome browser there is another rule to be added to disallowed rule: C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics It seems that one of recent updates created this folder (or changed permissions on it).
I hope I can dredge up this old thread again. I've had a he** of a time trying to achieve a full "default-deny" SRP on Windows 10 Pro x64, without breaking something. Advanced logging enabled does not always show what's being disallowed. My first effort resulted in broken wifi, the second in a system that ran at a snail's pace. Finally I did some digging in file explorer and found some additional paths required, especially for Windows Defender. Things are working well so far with my ruleset below. Security Levels: Disallowed Enforcement: All Software files Apply to: all users except Local Administrators Designated File types: Defaults but removed LNK and added: PS1, JSE, VBS, SCT, VBE, WSF Code: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Path Unrestricted %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Path Unrestricted C:\Program Files Path Unrestricted C:\Program Files (x86) Path Unrestricted C:\ProgramData\Microsoft\ClickToRun\{*}\integrator.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{*}\*.dll Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Offline Scanner\*.dll Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Offline Scanner\*.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Platform\*\*.dll Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Platform\*\*.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Scans\*.bin Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Scans\*.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Support\*.bin Path Unrestricted C:\Users\user_name\AppData\Local\*\Engine\HostAppServiceUpdater.exe Path Unrestricted C:\Users\user_name\AppData\Local\Google\Chrome Beta\User Data\PepperFlash\*\pepflashplayer.dll Path Unrestricted C:\Users\user_name\AppData\Local\Host App Service\Uninstall.exe Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*.exe Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*\FileSync*.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*\qjpeg.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*\qsvg.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*\qwindows.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*EAY32.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\ADAL.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\amd64\FileCoAuthLib64.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\ETWLog.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\FileCoAuthLib.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\FileSync*.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\LoggingPlatform.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\LogUploader.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\MSVCP140.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick.2\qtquick2plugin.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Controls.2\qtquickcontrols2plugin.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Layouts\qquicklayoutsplugin.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Templates*\qtquicktemplates2plugin.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Window.2\windowplugin.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\QT5*.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\RemoteAccess.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\SyncEngine.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\Telemetry.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\ucrtbase.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\UpdateRingSettings.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\VCRUNTIME140.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\WnsClient.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\WnsClientApi.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\OneDrive.exe Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\Update\*.exe Path Unrestricted C:\Users\user_name\AppData\Local\Temp\*.tmp\GoogleUpdate.exe Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*.exe Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe Path Unrestricted C:\Users\user_name\AppData\Local\Temp\~nsu.tmp\Un_*.exe Path Unrestricted C:\Users\user_name\Desktop\Autoruns64.exe Path Unrestricted C:\Windows Path Unrestricted C:\Windows\TEMP\CR_6BF41.tmp Path Unrestricted Before this effort I had to run a "Default-allow" setup and restrict mainly user-space directories. It was better than nothing but far from ideal. So far this setup is running fine. The moderate use of wildcards makes maintenance a bit easier, while still maintaining a nice level of security. I have disabled Real time monitoring in WD antivirus. How to enable advanced logging: -https://www.itprotoday.com/security/q-how-can-we-verify-software-restriction-policy-srp-rule-we-defined-one-our-applications
It's the dlls that were killing you. If you skip dll monitoring, you don't have problems, because the exe events show up in logging. I think it would be easier to use Excubits MZWriteScanner and configure it to monitor dlls in user space, if you are concerned about dlls.
@wat0114 I guess that those rules are needed only if you use Windows Defender and OneDrive? If you disable both, you don't have to set them. Or am I wrong?
No doubt it was the dll's causing problems. Things have been smooth sailing so far with these new rules. Excubits is something I might try in the future, but I'm happy so long as SRP will work. I think you are right. I use them both so I have to set them.
Some rule modifications to tighten things up by excluding the two defaults, adding some Disallowed paths because they allow users to write to them, and adding a rule to allow the Start menu to open. If you want to scan directories for permissions, Sysinternal's AccessEnum run as Administrator will do the trick. Code: C:\Windows\Registration\CRMLog Path Disallowed C:\Windows\Sys*\Tasks\Microsoft\Windows\PLA\System Path Disallowed C:\Windows\System32\FxsTmp Path Disallowed C:\Windows\SysWOW64\FxsTmp Path Disallowed C:\Windows\Temp Path Disallowed C:\Program Files Path Unrestricted C:\Program Files (x86) Path Unrestricted C:\ProgramData\Lenovo\iMController\Plugins\ThinkIntelligentSensingPackage_\x86\*.PS1 Path Unrestricted C:\ProgramData\Microsoft\ClickToRun\{*}\integrator.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{*}\*.dll Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Offline Scanner\*.dll Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Offline Scanner\*.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Platform\*\*.dll Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Platform\*\*.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Scans\*.bin Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Scans\*.bin.* Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Scans\*.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Support\*.bin Path Unrestricted C:\Users\user_name\AppData\Local\*\Engine\HostAppServiceUpdater.exe Path Unrestricted C:\Users\user_name\AppData\Local\Google\Chrome Beta\User Data\PepperFlash\*\pepflashplayer.dll Path Unrestricted C:\Users\user_name\AppData\Local\Host App Service\Uninstall.exe Path Unrestricted Allow uninstallation of selected Apps C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*.exe Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*\FileSync*.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*\qjpeg.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*\qsvg.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*\qwindows.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*EAY32.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\ADAL.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\amd64\FileCoAuthLib64.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\ETWLog.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\FileCoAuthLib.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\FileSync*.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\LoggingPlatform.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\LogUploader.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\MSVCP140.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick.2\qtquick2plugin.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Controls.2\qtquickcontrols2plugin.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Layouts\qquicklayoutsplugin.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Templates*\qtquicktemplates2plugin.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Window.2\windowplugin.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\QT5*.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\RemoteAccess.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\SyncEngine.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\Telemetry.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\ucrtbase.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\UpdateRingSettings.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\VCRUNTIME140.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\WnsClient.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\WnsClientApi.dll Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\OneDrive.exe Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\Update\*.exe Path Unrestricted C:\Users\user_name\AppData\Local\Temp\*.tmp\GoogleUpdate.exe Path Unrestricted Allow Google Chrome to update C:\Users\user_name\AppData\Local\Temp\~nsu.tmp\Un_*.exe Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\*\*.exe Path Unrestricted C:\Users\user_name\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe Path Unrestricted C:\Users\user_name\AppData\Local\Temp\~nsu.tmp\Un_*.exe Path Unrestricted C:\Users\user_name\Desktop\Autoruns64.exe Path Unrestricted C:\Windows Path Unrestricted C:\Windows\SystemApps\ShellExperienceHost_*\*.exe Path Unrestricted Allow Start menu to open C:\Windows\Temp\0E2B6AB2-\*.dll Path Unrestricted C:\Windows\TEMP\CR_6BF41.tmp Path Unrestricted Google Chrome updates
You don't have many disallowed rules. On my Windows 7 there are much more user writable directories under c:\Windows. Maybe that changes with Windows 10.
Yeah there weren't that many I found, although my config is still kind of a work in progress and subject to change depending on anything I discover as a possible security hole. I remember Win 7 as having more writable directories than 10.
I see you've used Accessenum to check permissions. Maybe you can try Sysinternal's Accesschk to see if it shows more problematic objects. https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk You can run this commands as admin (results will be saved to D:\access.txt) Code: accesschk -w -s -q -u Users "C:\Program Files" >> "D:\access.txt" accesschk -w -s -q -u Users "C:\Program Files (x86)" >> "D:\access.txt" accesschk -w -s -q -u Users "C:\Windows" >> "D:\access.txt" accesschk -w -s -q -u Everyone "C:\Program Files" >> "D:\access.txt" accesschk -w -s -q -u Everyone "C:\Program Files (x86)" >> "D:\access.txt" accesschk -w -s -q -u Everyone "C:\Windows" >> "D:\access.txt" accesschk -w -s -q -u "Authenticated Users" "C:\Program Files" >> "D:\access.txt" accesschk -w -s -q -u "Authenticated Users" "C:\Program Files (x86)" >> "D:\access.txt" accesschk -w -s -q -u "Authenticated Users" "C:\Windows" >> "D:\access.txt" accesschk -w -s -q -u Interactive "C:\Program Files" >> "D:\access.txt" accesschk -w -s -q -u Interactive "C:\Program Files (x86)" >> "D:\access.txt" accesschk -w -s -q -u Interactive "C:\Windows" >> "D:\access.txt"
Thanks for the suggestion. I didn’t know about accesschk. I’ll run it later today and see what results I get.
Pretty much finalized configuration: Code: Name Type Security Level Description C:\Program Files Path Unrestricted C:\Program Files (x86) Path Unrestricted C:\ProgramData\Lenovo\iMController\Plugins\ThinkIntelligentSensingPackage_\x86\*.PS1 Path Unrestricted C:\ProgramData\Microsoft\ClickToRun\{*}\integrator.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{*}\*.dll Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Offline Scanner\*.dll Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Offline Scanner\*.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Platform\*\*.dll Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Platform\*\*.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Scans\*.bin Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Scans\*.bin.* Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Scans\*.exe Path Unrestricted C:\ProgramData\Microsoft\Windows Defender\Support\*.bin Path Unrestricted C:\Users\username\AppData\Local\*\Engine\HostAppServiceUpdater.exe Path Unrestricted C:\Users\username\AppData\Local\Google\Chrome Beta\User Data\PepperFlash\*\pepflashplayer.dll Path Unrestricted C:\Users\username\AppData\Local\Host App Service\Uninstall.exe Path Unrestricted Allow uninstallation of selected Apps C:\Users\username\AppData\Local\Microsoft\OneDrive\*\*.exe Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\*\FileSync*.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\*\qjpeg.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\*\qsvg.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\*\qwindows.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\*EAY32.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\ADAL.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\amd64\FileCoAuthLib64.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\ETWLog.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\FileCoAuthLib.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\FileSync*.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\LoggingPlatform.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\LogUploader.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\MSVCP140.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick.2\qtquick2plugin.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Controls.2\qtquickcontrols2plugin.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Layouts\qquicklayoutsplugin.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Templates*\qtquicktemplates2plugin.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Window.2\windowplugin.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\QT5*.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\RemoteAccess.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\SyncEngine.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\Telemetry.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\ucrtbase.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\UpdateRingSettings.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\VCRUNTIME140.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\WnsClient.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\WnsClientApi.dll Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\OneDrive.exe Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\Update\*.exe Path Unrestricted C:\Users\username\AppData\Local\Temp\*.tmp\GoogleUpdate.exe Path Unrestricted Allow Google Chrome to update C:\Users\username\AppData\Local\Temp\~nsu.tmp\Un_*.exe Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\*\*.exe Path Unrestricted C:\Users\username\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe Path Unrestricted C:\Users\username\AppData\Local\Temp\~nsu.tmp\Un_*.exe Path Unrestricted C:\Users\username\Desktop\Autoruns64.exe Path Unrestricted C:\Windows Path Unrestricted C:\Windows\Registration\CRMLog Path Disallowed C:\Windows\Sys*\Tasks\Microsoft\Windows\PLA\System Path Disallowed C:\Windows\System32\FxsTmp Path Disallowed C:\Windows\SystemApps\ShellExperienceHost_*\*.exe Path Unrestricted Allow Start menu to launch C:\Windows\SysWOW64\FxsTmp Path Disallowed C:\Windows\Temp Path Disallowed C:\Windows\Temp\0E2B6AB2-\*.dll Path Unrestricted C:\Windows\TEMP\CR_6BF41.tmp Path Unrestricted Google Chrome updates c:\Windows\System32\spool Path Disallowed C:\Windows\System32\spool\drivers\W32X86\3\*.dll Path Unrestricted C:\Windows\System32\spool\drivers\x64\3\*.dll Path Unrestricted C:\Windows\System32\spool\drivers\x64\3\*.exe Path Unrestricted C:\Windows\SysWOW64\com Path Disallowed C:\Windows\SysWOW64\com\comadmin.dll Path Unrestricted C:\Windows\SysWOW64\com\comrepl.exe Path Unrestricted C:\Windows\SysWOW64\com\MigRebDB.exe Path Unrestricted There were a few other directories Accesschk flagged as RW for users but when I clicked on them I was prompted for credentials, so I didn't bother wit them.
Hi, I don't use OneDrive, but I think one shouldn't set to UnRestricted anything inside AppData. Even if you specify a specfic exe. Because that exe can be replaced with something the attacker wants to run.
you have a good point, but if I don't allow the specific exe's, OneDrive breaks. I know this SRP policy isn't perfect, but it's at least better than no policy at all. I did remove the rule that allows all exe's in the one sub-directory.
This is indeed a weakness with SRP, and the criticism applies equally to AppGuard's version of SRP (in locked down mode, at least. In the standard mode, you can allow by signature, instead). But if you have your policy set up right, malware will never be running rampant in your system, deleting and creating files to its heart's desire. If that's happening, it's way too late, because your system was already pwned.
I prefer to create hash rules for such files so they can't run if they are indeed replaced. Of course you have to update hash each time those files get updated...
I agree, although the current SRP rules I have for OneDrive are still a weakness. I'm considering purging them and using Onedrive by simply logging in to the website. As it currently stands, Onedrive doesn't launch automatically when I log in to my Windows account.
