A thought regarding drive-by downloads

Finally managed to find out the video so that I don't have to keep on describing something you apparently haven't tested at all...

If you watch AppLocker Walkthrough from ~4:30 on, you can watch the wizard in action to create the rules. Completely automatic with publisher rules created for anything signed and choice between hash and path rules for unsigned stuff. Lot of work? You can't be serious.

 

Hardly annoying. It takes maybe 3 minutes at the most to autogenerate a rule(s) for your new program, then simply export your new configuration for safe keeping. BTW, Publisher rules are the best. Hash rules are equally strong but can be cumbersome to maintain because when you update a program it requires generating a new hash rule. With publisher rules this is not necessary, since you can create a rule for the "current program version number or higher". Path rules may be easy but they are also weakest, so the course of action should be as follows:

generate as many publisher rules as possible, followed by hash, followed by path. this approach will yield the strongest ruleset.

I'd suggest read the links doktornotor provided. There's nothing difficult about seting up and maintaining Applocker. It definitely beats continuously answering HIPS pop-ups, and, quite simply put, renders antivirus virtually useless (other than for occasional on-demand scans).

Just an example in the screenshots to show how "Allow with Exceptions" can be created for path rules. The rules simply allow a selected user to execute from %System32%\com\dmp|8, while everyone else is denied that folder.

 

No relate but I ask you if you knew about that problem on XP. You no give clear answer so I guess you dont know. It OK now you know.

 

I know and use already. I tell lot of work if have to update Applocker rule every time update program. Become like HIPS. That my point. Hope clear now.

 

Utter nonsense. Sounds instead like a case of extreme laziness instead, seriously.

 

Some say not use HIPS is case of lazy. Other say it annoying to use HIPS. Can say what want. Up to you. I tell if update program always have to remember update Applocker rule also it can be annoying. If you no have many program then may be not so bad.

 

How many unsigned applications do you update every day? Hundreds or thousands? Because that'd be about the amount of clicks when using HIPS, depending on how sucky it is and how paranoid you are

I don't consider further debate in this direction to be useful, all has been said already (path rules, publisher policies etc.)

 

For some may use many unsign program. Or may start using some unsign program. Never know when start use them. HIPS many click I know. I make bad compare but I try explain. Also I say again. If use path rule may be allow folder in C:\Windows to also run. Never know if unsign program may use those path.

 

You install your software to C:\Windows? Well, that's not what most people out there would do? Looks like you still did not get the point, so last try from me (already been said many time here anyway):

- for signed apps, use publisher rules
- for unsigned apps, you can use either hash or path rules (in that order of preference security-wise)

You can mix the rules as needed on a per-application basis. And you would NOT use path rules for %WinDir% at all since about nothing installs there except for some shared libs (DLL etc.) and drivers; frankly you don't want AppLocker to deal with DLLs.

 

And again for unsigned apps if use hash rule need update Applocker every time update unsigned app. And if use path rule never know when program may install component to C:\windows that need to run. I dont know if such app exist but may be out there never know. I agree your method can work also just saying may be problem or more annoying in some case. With allow all C:\program file and C:\windows and block folder which allow user limited to write and execute then all problem solve.

by way if you use win 7 how come your sig show win xp.

 

Uh... You do not need to use path rules for %WinDir%. It's completely unrelated and separate from path rules for %ProgramFiles%. Period. Stop mixing those two things already.

If you don't even know whether such app exists then why's it even a problem for you

Because it's the box I'm using right now and the signature length is way too limited to include all the boxes I'm using.

 

i know no need but i say may need just thinking of possible problem. if new unsign app install component to C:\windows that need run then u need use path rule or annoying since if use hash rule then need to update applocker rule every time update app. and if use path rule then may be allow execution from danger folder. no problem for me just thinking of future problem for me and other people never know. thanks you for discussion.

 

Well yeah it's annoying. Also discussing hypothetical "problems" is annoying.

When something installs to %WinDir% you'll notice it when it won't run. Such application is broken in the first place, apps aren't supposed to drop random EXE junk to %WinDir%. You might have more issues if you want AppLocker to deal w/ DLLs but then again I myself (and also MS for what's it worth) discourage you from doing it. Needless complexity and overhead for very little gain.

 

You no need to read and reply me then if you annoy. Simple. Important to block unknown DLLs I feel. Never have problem here with block DLLs. More secure. Any way either way work well.

 

Really no problems? You probably don't use Chrome extensions. Other broken things include Java cache, Dropbox and bunch of random semi-broken stuff that tends to drop DLLs %APPDATA% and elsewhere in %UserProfile%. Definitely worth the hassle to me.

 

Yes no problems never notice. I dont use Chrome. Never use Dropbox. No problem for my use. Like I guess you say already what work for some not work for other. I block DLLs for many year. No problem.

 

It seems clear you want nothing to do with managing Publisher/hash rules, so why don't you simply create the default path rules and add exceptions for all those directories MrBrian links to in his post #37 of this thread? Basically, set yourself up similar to the way he did in his link. If something does not work right, then simply change enforcement of rules to "Audit", then check the logs to see what's wrong. You then simply create a "one time" path rule for it. It could end up you will need a rule or two under %Appdata%. You mention reading about Applocker but I'm not so sure you adequately understand how it works.

 

I understand how it work. I already say. Both method work fine. One method may be better than other if you use many unsigned program. Not so sure you adequately understand me. Sorry.