Application Whitelist Auditor

Link: https://www.airlockdigital.com/application-whitelisting-auditor/

Download: https://www.airlockdigital.com/AirlockApps/ApplicationWhitelistAuditor.exe

 

Thanks as always @WildByDesign

 

Looks interesting. Thanks

 

Neat! So have you both tried it yet?

 

It audits AppLocker policies.... test usefulness is limited when you have non-Microsoft SRP running.

The tool can't determine how secure a system is as a result.

 

You're welcome. I have not tested it quite yet but I am preparing to do so in the next hour or so. It seems predominantly towards AppLocker configuarations, however, it does contain general execution tests for non-Microsoft app whitelisting vendors. Hopefully it will still be of some use aside from AppLocker.

 

It is has been running for at least 80 minutes ...so slow.

 

Interesting, thank you WBD! I can see where this might be helpful to an application control utility... you never know what it might find. I think typically, attacks are somewhat limited where they can drop and execute files, but it certainly never hurts to make sure everything is buttoned up... there is no reason not to, right?

 

Hehehe, are you testing VS with it disabled . I know people usually lower VS's security posture to Smart OFF or AutoPilot when testing, but something tells me VS will probably not perform that well if it is disabled . Just joking .

BTW, if someone is going to test VS, you will need to disable the Parent Process feature, and turn off the Auto Deactivation... it appears to be a long test. I am testing it as well.

 

I like how this tests execution based upon which folders are writeable by the user. Quite realistic and real world potentials based on what the current user has permissions for. Long test indeed, though. Mine is still running as well.

This was recommended by Casey Smith (subTee) who specializes in application whitelisting.

 

Yeah, it is pretty cool. I started run a test my main computer, then read where it might leave the test files (named "ApplockerAudit...") all over your computer... which it did, so I stopped the test for now... besides, it really was going to take forever.

I have not heard much from Casey Smith in quite sometime... what is he up to? Anything interesting?

 

Use Shadow Defender, and run the test in Shadow Mode. It will not leave a trace anywhere after rebooting. I may try the test myself when I have time.

 

Good find WildByDesign!

 

Is Shadow Defender like Deep Freeze?

 

Yeah, that would be cool! I have a couple of different computers that I trash and reload all of the time, so I will probably use one of those for now. It would be cool if the app's developer would add a folder tree, so we can retest specific folders. This would actually be super simple to recreate, so if you guys come up with other idea, I might throw something together... or we can see if they can add it.

 

Yes, it is.

http://www.shadowdefender.com/

 

Cheers!

 

Yes, it is. Shadow Defender also virtualizes all of track 0, and the last time I looked it was the only light virtualization application that does. Shadow Defender has been tested against malware that infect the mbr, and all changes to the mbr were discarded after rebooting.

 

I think once you use Shadow Defender it will become a permanent addition to your setup. I doubt you will see anyone able to bypass it.

 

Btw.. I forgot to mention that Shadow Defender beat out snap shot software in reversing changes made to the system in the past. SD is now more secure than it was in the past with track 0 virtualization. That should speak volumes. It should work perfect for test tools like the one mentioned in this thread.

That's all I will mention of SD in this thread. I don't want to get the thread off topic anymore.

 

Honestly, SD and other virtualization/rollback system has nothing to do in this test , we all know that all the changes will be reversed after reboot

 

FYI, if anyone is interested, here are VS's EXE misses for Windows 8.1, UAC disabled. The dll test is not as straightforward, but I will not even get into that .

C:\Windows\System32\Tasks
C:\Windows\SysWOW64\Tasks
C:\Windows\Tasks
C:\Windows\Temp

I understand the Tasks "misses"... but I wonder how they gained access to the Temp folder? I do not even have access to it as admin. Any ideas?

BTW, if someone wants to run the test again for VS, it is helpful to uncheck the "Enable balloon notifications and user prompts" option in Basic Settings. The test will go much faster.

 

Just finished the test (took 10-15mn) , i have to (obviously) disable/reduce several protection tools/features on my OS to let it run.

1- allows non metro apps to install (Win10 CU feature)
2- set Appguard to "allow user space launch" if not the tool can't be executed.

result:

1- on system-space (Program Files and Windows), no exe or dll can execute, result expected, job done.
2- on some "C:\User" folders, some dlls managed to get in.

 

Hi Dan,

The only reason I disabled VS is because it was logging every thing. I am posting this on my XP, since my Surface Book is still being charged. I put it into 'sleep mode' before , I went out earlier. Just got back 5 minutes ago. So, when I start up the laptop, I will see if the scanning resumes or not. Maybe, it was canceled.

 

I was just joking, I thought it was funny .