Applocker problem :(

Thanks for your help wat, I appreciate it. I tend not to change my setup as much as I used to because I pretty much found apps that I am content with using.

 

You're welcome.

 

Ok one more question pleaseeeeeeeeeeeee... I noticed you have a publisher rule for Adobe Flash. Did you create that for the dll file (or was it the ocx file) in that directory because its not covered by the default windows dll rule?

 

You know, it was so long ago so I can't remember the reason, but that could very well have been it. There was a logical reason for it is all I can tell you. Weird things sometimes happen so customized rules need to be created to resolve the AppLokcer block issues.

A good example is an executable rule needed for not only Process Explorer's procexp.exe file, but also for its procexpx64 file, the latter of which only gets generated when Process Explorer is launched. Hope this makes sense.

This is an example of why it's nice to have those instant Task Scheduler event alerts when weird things like this happen.

 

Ok then. I will see what happens when I get around to re-installing windows and getting things setup. I understand the process explorer issue as I had an issue similar with another app. Yes it does make sense. Thanks again.

 

Well I'm currently setting up applocker now and looks like I will have to create individual publisher rules for each dll file in Chrome's directory? Wondering if the publisher is the same for the dll files do I need a rule for each dll file or just for each publisher? Didn't know it wasn't an auto-generate for dll rules, oh well. Any thoughts Wat?

 

Yes, Publisher rules for DLL files are a bit of a PITA, because unlike the autogenerate option for executables, the DLL Rules doesn't have this option. However, you should not have to create a rule for every DLL file related to Chrome. Just create the ones you find in the Event Viewer logs whenever you get a block alert.

Probably the easiest way to go about this is open up Event viewer to the AppLocker logs (Application and Services Logs\Microsoft\Windows\AppLocker\EXE and DLL), clear them, then open Chrome and start using it until you get an AppLocker block from either AppLocker itself or the custom Task Scheduler event you hopefully have created already. Check under the Details tab and look for the FilePath entry which will display the file path of the blocked executable or DLL, whichever the case may be. You can then create your AppLocker rule based on that info.

 

Yea I see but its fine. I don't mine learning it. Ok gotcha. I will do an audit test and see what happens.

 

Actually I did that my friend and I found two dll files would be blocked if I enforced the rules. Created publisher rules and bam success. Still testing to see if I need to add anymore dll rules and after this its applocker full time Again I thank you for your time and energy in helping with this.

 

Good to see you're making progress

 

Yep I'm glad as well . I feel bad as well though because I could have been asking for help when I tried applocker the first time lol, but I never gave applocker a chance. And this is before I even considered using DLL rules lol.

 

Some other approaches to AppLocker configuration are found in Anyone running AppLocker?

 

Thanks MrBrian. Will tell a look.