OS: Win 7 x64. Issue: Once in awhile, AppLocker blocks a program that it shouldn't be blocking. For example, yesterday it blocked my PDF reader when I tried to open a PDF. Rebooting always solves the issue. This first started happening within perhaps the past 4 to 8 months or so. I haven't researched this issue elsewhere yet.
I haven't noticed this yet, MrBrian, although I don't use my Win7x64 machine that often these days. Have you checked to see if the Application Identity service is running when this happens?
Thanks wat0114 . I didn't check that. I believe if that service isn't running, there will be no AppLocker enforcement at all? I'm wondering if EMET is somehow causing this, because it seems the only affected programs are those that have EMET mitigations.
Opps...yes you are right. I got that backwards so I doubt that's the problem. maybe it is EMET causing the problem. I know I've had to disable some mitigations, can't remember which, to get some applications working properly, but I know there wasn't anything causing AppLocker to block when it shouldn't. Actually, did you check the Event Viewer logs? i think it's under Application and Services Logs\Microsoft\Windows
I just checked the AppLocker logs. I don't see any AppLocker event corresponding to the program that was blocked last night, so maybe AppLocker isn't causing the problem. When the issue occurs, I get a "blocked by group policy" message, which I'd (perhaps wrongly) assumed was because of AppLocker.
The issue happened again. This time there was an AppLocker block event in the event log. I also noticed that "Microsoft EMET Service" was not started when this happened.
Well that is really puzzling AppLocker is blocking randomly like that, and a re-boot somehow fixes the problem. Do you have the rules apply to the "Everyone" group or something else, such as "Users"? Not that this should really matter. Also, have you modified security permissions on any of your main directories such as Program Files or Windows? Does the block message look like the attached?
My ruleset is still similar to https://www.wilderssecurity.com/threads/anyone-running-applocker.272761/#post-1679077. I haven't made any ACL changes on folders Program Files or Windows lately that I can recall. The block message is indeed that one.
I'm practically at a loss for ideas now. It makes no sense Just one more, although it seems unlikely...is Software Resttriction Policy somehow enabled? It should be overruled by AppLocker policy anyway even if it is enabled. I seem to remember you experimenting with Powerbroker a while back as well. That isn't somehow enabled and conflicting is it?
SRP isn't enabled. I installed PowerBroker only on a virtual machine, not on the real machine having this issue.
The only idea I have now is maybe export your policy, clear the policy, re-boot, then re-enable Applocker and import your policy. Or maybe first try the basic Defaults and see if that works, and if so then try your policy? Otherwise I'm completely flummoxed.
Maybe I could try that. The weird thing though is that the program that was blocked worked fine earlier in the same session.