Applocker and java update?

[acr1965]

I have not been successful trying to set applocker to allow java update installs. Is there some trick or setting short of disabling applocker, rebooting and doing a manual update?

If not, what other updates will I have a similar experience, such as flash, et al...?

Did you create rules for the path: C:\%PROGRAMFILES%\Common files\Java ?

Don't forget you can easily discover exactly what's been blocked through AppLocker logs:

Computer management->Event viewer->Application and services logs->Microsoft->Windows->Applocker, then check for "Error" level entries to see what was blocked.

[acr1965]

Thanks, just did that. I had no problem finding that an update was available, just installing the update. So I believe the update check was allowed to run but the installer was prevented by applocker.

Oh, I see. There might be rare cases where you'll need to create path rules under a user's Appdata directory to get something to work properly.

[MrBrian]

I haven't had any known problems with Java updates and AppLocker. I manually download and run the installer elevated.

http://www.oracle.com/technetwork/ja...ads/index.html

Allow Adobe and Oracle? Updates need to be signed for that. Flash is no problem, don't know about Java.

[acr1965]

Quote:

Originally Posted by MrBrian

I haven't had any known problems with Java updates and AppLocker. I manually download and run the installer elevated.

http://www.oracle.com/technetwork/ja...ads/index.html

I eventually did that and it worked, but I disabled the applocker process. Are you able to have java allowed to be installed from the new update prompt? Or are you only able to install via manual download?

also, what about adobe flash? same issues?

The logs will show exactly what's blocked, including the path(s).

[acr1965]

Quote:

Originally Posted by wat0114

The logs will show exactly what's blocked, including the path(s).

Yes, thanks. I saw the java update was blocked but could not find any way to have the update installed short of the manual download. I seen the java installer was not visible when I tried to white list it in applocker. I had the java.exe white listed but to no avail.

[MrBrian]

Quote:

Originally Posted by acr1965

I eventually did that and it worked, but I disabled the applocker process. Are you able to have java allowed to be installed from the new update prompt? Or are you only able to install via manual download?

also, what about adobe flash? same issues?

I've always downloaded and installed these two manually, so I don't know.

I install Java and Flash updates as administrator, so AppLocker does not form part of the equation anyway. Also, most of my rules are autogenerated, so behavior with that approach as opposed to path rules can differ in certain situations. However, I've had to create dll path rules to address ever-changing Flash temp files under the user's appdata directory path (this is just to use Flash - never mind installing it). It's a nuisance but that's the trade-off, I guess, for including dll rules in AppLocker. An example shown.

BTW acr, sorry for nattering like an old woman regarding the logs, but I've found it to be indisputably the best way to find and correct application functionality problems using AppLocker.

[m00nbl00d]

Why not just follow MrBrian's approach, which seems to be the most straightforward option? Download and manually update. You can even have a third-party application downloading the installers, whenever a new version is found. Then, you only need to install.

Besides Secunia PSI, which will for sure let you know right on time, there's Ketarin (http://ketarin.canneverbe.com/), which you'll need to set up for whatever installers you want.

It's from same developer as CDBurnerXP, I think. It's open-source, if you've got any concerns.

I still haven't tried it out. Have downloaded it though, still not in the stage of setting it up. Doing other stuff, at the moment.

Quote:

What is it all about?

Ketarin is a small application which automatically updates setup packages. As opposed to other tools, Ketarin is not meant to keep your system up-to-date, but rather to maintain a compilation of all important setup packages which can then be burned to disc or put on a USB stick.
I created this application, because I couldn't find anything like it when I needed such a functionality. Since I don't want my efforts go to waste, I decided to release it to the public. Ketarin is open source, so you can also extend its functionality to fit your needs (just note that you may not use the icons that ship with it freely as well). I'd also appreciate source code contributions. Ketarin is written in C#, for the .NET Framework 2.0 and uses SQLite as database engine.

How does it work?

Basically, it monitors the content of web pages for changes and downloads files to a specified location. There is a tutorial explaining it all. Currently, you can either rely on a service based on FileHippo, or you can define your own rules, even using regular expressions (for advanced users). A similar application, for monitoring web pages, is Webmon and has sometimes served as guide.

[acr1965]

Quote:

Originally Posted by m00nbl00d

Why not just follow MrBrian's approach, which seems to be the most straightforward option? Download and manually update. You can even have a third-party application downloading the installers, whenever a new version is found. Then, you only need to install.

Besides Secunia PSI, which will for sure let you know right on time, there's Ketarin (http://ketarin.canneverbe.com/), which you'll need to set up for whatever installers you want.

It's from same developer as CDBurnerXP, I think. It's open-source, if you've got any concerns.

I still haven't tried it out. Have downloaded it though, still not in the stage of setting it up. Doing other stuff, at the moment.

I'll probably just download manually from here on out with java. I was concerned previously about whether a manual download was appropriate or some other method. I guess at this point I need to figure what else needs a manual update.

thanks