Application Whitelist Auditor

Testing software can be funny...

 

Unbelievably slow! Still going...

 

@Tarnak surely because of one of your security soft, because on my system it took 10-15mn max

 

Hi guest,

If you look at VS logging in my post above, I am beginning to think it could be REHIPS.

 

@Tarnak, i see , the tool tries to write in rehipsusers folders, which it can't because it need admin rights to do so.

 

@guest, I run as admin on my system, so I don't understand...I know you are very knowledgeable about ReHIPS. What is it about your ReHIPS install on your system, that is so different to my install?

 

@Tarnak , the test tool must be run under SUA.

also i'm always under SUA. Running as Admin is making the job of malware easier.

 

1- it can but it is not supposed to be ran on admin account because best practices is to run a system on SUA.
2- you just have to let the security product allow the tool to be executed once, for the GUI to shows up then revert to the state your security apps was before.
3- yes you will learn what folders are really protected or not by the security apps. If at the end of the test , the tool show exe or dlls executed in them , means the software totally failed to protect them (based on the tool's developer opinion) .

note that the tools is made to test Applocker (or in a lesser extent SRP/anti-exe), so your security product setup based on your personal configuration.

For example against Appguard:
0- if you don't lower the protection the tool can't even launch its GUI. So like with every test tools, you have to allow it once (as you would do for comodo or spyshelter leak test, etc...)
1- you will add the tool's executable to Guarded Apps with memory write/read and Privacy all set as "on", because in a normal situation with AG, you won't let unknown exe you want test to run unrestricted and compromise criticial areas..
2- then you just click start, at the end of the test you will see the folders accessed (show as "executed") by exes or dlls. Executed means the software failed to protect them from possible attacks.

On the test my Appguard totally protected System-Space (Program Files & Windows); no exe or dlls could compromised it.

 

Hmmm, something is not right, in VS did you...

1. Disable "Enable balloon notification and user prompts" (Basic tab)
2. Disable "Automatically deactivate after 10 minutes of system idle" (Advanced tab)
3. Disable "Automatically allow by parent process" (Advanced tab)

 

@Tarnak don't run the tool as admin...

 

We should probably email the dev to see for sure, but I do not think that is what he meant when he said "The utility is designed to be run as a standard (non-privileged) user."

I think what he was saying is that the computer should be tested under normal operating conditions... but simply to not right click on the "ApplicationWhitelistAuditor.exe" file and choose "Run as Administrator".

You will certainly have different results if you run on an admin account vs a sua.

 

i guess ERP will block exe only because it can't monitor dlls; for the other i don't know i dont use them.

 

for me "designed to be run as a standard (non-privileged) user." is SUA. Applocker is made to lock users workstation which is supposed to be under SUA , not let them run under admin account.

 

MZWriteScanner should do thoroughly well because this test has to do with dropping executable binaries into user-writable directories and then executing. So MZWS would grab the two hashes (one for the .exe and one for the .dll) and not allow execution on the system. It may be slow in the sense that it has to SHA256 hash the binairies, but not entirely sure. Regardless, MZWS is a fantastic tool for capturing and disarming dropped executables. Super powerful, as you already know. I recall the other day, Matt Graeber (mattifestation), another app whitelisting guy, was looking exactly for such a tool as MZWS. Unfortunately I do not have Twitter though and therefore could not message the guy to let him know. He would likely love the fact that MZWS can copy all dropped binaries to a forensics folder as well.

 

@WildByDesign i would enjoy to use some of those excubits tools like MZW but i can't afford them ^^

 

We should email him and ask what he meant by that... I think he would have used the word "Account" if he meant account.

With UAC (even running on an Admin account), there are 3 levels

AsInvoker
HighestAvailable
RequireAdministrator

This is what UAC is really all about... it allows you to run as an admin account, while still running most processes "AsInvoker" (or "HighestAvailable").

Which I understood "The utility is designed to be run as a standard (non-privileged) user." as the dev's way of saying... do not run this file as admin, because most files do not require administrator privileges... run it AsInvoker.

We should email him and find out for sure, it would be interesting. It would also be interesting to see the different results between a SUA and an Admin account, on the same machine, under the same conditions.

 

Well, I entered into 'hibernate mode', earlier this evening, and then I noticed that the laptop had shut down. So, because the battery had run down, again, I had to put it on the charger.

I started the laptop, and as you can see from the VS logs, it resumed at 12:14 am, and the scan is, powering along, now.

 

I didn't.

 

aren't you curious?

 

Yep, something always seems goes wrong while testing, then you have to start all over again . Fun fun.

But once you have everything in place, the tests go pretty well.

 

Good luck guys on your testings. Hope you not find any "holes/issues" in my favorite sec apps.

 

The scan finished at 12:42 am.... But, I can't get the screenshot. I am having problems with control of the cursor. It is wayward, has been ever sine the scan started. I will try later. I need to go to bed.