Share your ApplOcker settings

Discussion in 'other anti-malware software' started by Kees1958, May 9, 2012.

Thread Status:
Not open for further replies.
  1. Kees1958
    Offline

    Kees1958 Registered Member

    Finally surrended to AppLocker and said goodbye to good old SRP.

    Curious about settings of members using AppLocker.

    So here are my AppLocker settings, basically a more granular with default deny user space, Programs Files allowing only signed programs and allowing Admin to install/elevate from User Space (Desktop is also the name of the user).

    Note last DLL rule is only allowed in Windows dir

    Regards Kees

    Attached Files:

    Last edited: May 14, 2012
  2. Gobbler
    Offline

    Gobbler Registered Member

  3. Kees1958
    Offline

    Kees1958 Registered Member

    I checked a few of those extra folders, but they all had Access Contol List (right click, security tab) for Users without "Traverse Folder/Execute File". This is good enough for me.
  4. 1chaoticadult
    Offline

    1chaoticadult Registered Member

    My applocker policy is similar to MrBrian with a few minor differences
  5. Noob
    Offline

    Noob Registered Member

    Never tried Applocker, have always used SRP. :D
    I'll take a look at the guide. :rolleyes:
  6. 1chaoticadult
    Offline

    1chaoticadult Registered Member

    I've never tried SRP, always used Applocker :D
  7. WSFfan
    Offline

    WSFfan Registered Member

    I am using MrBrian ruleset with some additional rules for Applocker.I can't get Google Chrome to work with Sandboxie & Applocker combination but works fine with Applocker alone.If anyone uses Sandboxie & Applocker Combination successfully with Google Chrome, please post the Applocker rules for that. I have also installed the fix Applocker bypass flaw.
  8. 1chaoticadult
    Offline

    1chaoticadult Registered Member

    This shouldn't be too hard to do. Did you setup applocker instant event alerts, like in this thread?: http://www.wilderssecurity.com/showthread.php?t=306861. That might help you narrow down whats being blocked and give you a good idea what rules you need to create.
  9. WSFfan
    Offline

    WSFfan Registered Member

    I have enforced Audit only mode.I have whitelisted all the Dlls Located in Program Files folder yet some dlls of Google Chrome located in Program files folder are blocked for no apparent reason.Similarly I have whitelisted the whole Appdata folder of my user account for scripts,dll,exe ,yet Google chrome fails to run.I have whitelisted All Microsoft dlls yet some of them are blocked.

    Edit:

    I Whitelisted the whole windows partition in all the Applocker rules,enforced the rules,rebooted,restarted app identity service but chrome failed to work.

    @1chaoticadult, What browser are you using?May be any browser other than chrome or its other variants.Either i have to give up Chrome or Applocker because Sandboxie works great.:doubt:
    Last edited: May 12, 2012
  10. 1chaoticadult
    Offline

    1chaoticadult Registered Member

    If you look at my sig, I use applocker, chrome & sandboxie without issues. What Chrome dlls are you talking about in Program Files, I have none there. Again did you setup those alerts I mentioned? An alert would popup when a file is blocked and you could check event viewer to find out what the blocked files are. Do you mind posting some screenshots of your applocker policy?
  11. WSFfan
    Offline

    WSFfan Registered Member

    I have installed Chrome in Program Files folder.I had setup those alerts.It only showed that Chrome.exe was blocked when rules were enforced(not showed a particular dll or exe or script file), when in audit mode,some Microsoft Dlls, Chrome Dlls (though whitelisted) were shown that they would have been blocked.I have installed the following extensions in Chrome: Lastpass, Downloaders plugin, Adblock and Do Not Track Plus.I have whitelisted the whole Appdata folder in Applocker settings, yet chrome seems to be blocked for no apparent reasons.Do you have any special rules for Chrome and Sandboxie in Applocker?. I have a doubt whether Applocker bypass hotfix may be the reason for Chrome being blocked.Have you installed Applocker bypass hotfix?
  12. 1chaoticadult
    Offline

    1chaoticadult Registered Member

    I don't have Chrome installed in Program Files. I have Chrome installed in AppData. Yes I had the hotfix installed and it should have nothing to do with the issue you are having. I have no special rules for Sandboxie as I have the default rule to run all exes, dlls, scripts from program files. As far as Chrome goes I have rules for Chrome's appdata directory in exe, dll & script.
  13. Kees1958
    Offline

    Kees1958 Registered Member

    I have Chromium installed in Program Files and the AppLocker fix installed, no problems. I have the flash (gcswf32.dll) and pdf dll''s moved to the Program Files directory of Chromium. No problems, with Chrome (disabled the adobe plug-in in Chrome settings).
  14. WSFfan
    Offline

    WSFfan Registered Member

    My Applocker rules screenshots:

    Capture1.PNG

    Capture2.PNG

    Capture3.PNG

    Capture4.PNG
    Last edited: May 14, 2012
  15. Kees1958
    Offline

    Kees1958 Registered Member

    After some testing I found this combo of UAC, SRP, ACL and AppLocker the fastest and most secure. For some odd reason setting the UAC to deny elevation of unsigned programs, sometimes gives a irritating delay when starting programs with admin rights (e.g. sysinternals autoruns). With these settings I do not have the delay, but I have not found out what causes it (the set Applocker rules previously posted delayed signed programs elevation)

    1. UAC
    - Deny elevation of unsigned programs
    - Disable installer detection
    - Run all admins in admin approval mode
    - Admin approval mode for the built in Admin Account

    2. SRP
    - Enforcement: All files (including DLL's), except Administrator [so applies only on standard users]
    - Security level: default level is Basic User [effectively is deny execute outside Safe Places
    - Only default rules (Windows and Program Files, rights are determined on user rights, not SRP)
    - Registry hack of Symantec, to run MSI as admin

    3. AppLocker
    - Executable Rules (replaced default rules with)
    a) User (Kees) is allowed to run all signed executables (publisher rule) from drive C (path exceptions on data drives)
    b) Builtin Admins are allowed to execute from path Windows
    c) Builtin Admins are allowed to execute from path Program Files
    d) User (Kees) is allowed to run (hash rule for unsigned program) 7-zip
    e) User (Kees) is allowed to tun (hash rule for unsigned program) Chrome

    4. Access Control List
    a) On all download/internet/e-mail/media receiving folders set a deny execute/traverse folder for everyone.
    b) Same on Public User Folder.

    5. GPO Hardening
    a) Deny execute access on removable drives
    b) Disabled Autoplay of removable drives

    So back to partly SRP again, less granular control (on DLL's) but more speed in synthetic benchmarks, leaving MSI over to SRP and UAC (all MSI elevate with symantec registry hack, so only signed MSI install with UAC).
    Last edited: May 14, 2012
  16. 1chaoticadult
    Offline

    1chaoticadult Registered Member

    I wouldn't whitelist the whole appdata directory, just the specific directories under appdata you need.
  17. WSFfan
    Offline

    WSFfan Registered Member

    @Kees1958:May be you aren't using Sandboxie that is why you have no problem in running Chromium with Applocker.

    @1chaoticadult: Please post the Applocker rules for Chrome.
    Last edited: May 15, 2012
  18. Kees1958
    Offline

    Kees1958 Registered Member

    Nope I am not using SBIE
  19. WSFfan
    Offline

    WSFfan Registered Member

    @Kees1958: Do you think your Safe Admin setup can be as good as Sandboxie in malware prevention?
  20. Kees1958
    Offline

    Kees1958 Registered Member

    Reading your signature, it looks like your are not happy with AppLocker. As mentioned I have a combo of UAC, SRP, Applocker and ACL to establish basically a deny execute in user space, deny elevate of unsigned and allow user only to execute signed programs. The same can be achieved with a HIPS or deny execute program more easily.

    All these denies imply that I do not install a lot of software. My surfing habits won't take me to the outskirts of the web and my ISP checks my mail on virusses. So taking these considerations in mind (combined with Chromium sandbox), I would say Yes.
  21. WSFfan
    Offline

    WSFfan Registered Member

    Considering security as priority,which is better among these three combinations?

    1) Sandboxie + Chrome

    2) Applocker + Chrome

    3) Sandboxie + Applocker + Opera
  22. 1chaoticadult
    Offline

    1chaoticadult Registered Member

    Honestly I like option 3 but replacing Opera with Chrome.

    Executable Rules: C:\Users\Nero\AppData\Local\Google\Chrome\Application\*
    Script Rules: Same as above
    DLL Rules: Same as above
  23. Gobbler
    Offline

    Gobbler Registered Member

    I have made an interesting observation here about MSI packages.Using the Symantec registry hack to to add run as administrator to the context menu, MSI packages are still blocked if MSI packages are controlled by SRP but are elevated as it should have been when MSI is controlled by Applocker o_O
  24. Kees1958
    Offline

    Kees1958 Registered Member

    @Gobbler,

    You are right, on the other hand I tried an MSI and found that it asked for elevation by itself. With the SRP/AppLocker combo.
  25. m00nbl00d
    Offline

    m00nbl00d Registered Member

    Either you know something Microsoft doesn't... or SRP isn't working, at all. :D SRP gets disabled once AppLocker gets enabled. :p

    So... is it really working? :doubt:
Thread Status:
Not open for further replies.