A Few Questions Regarding Appguard, Applocker, and EMET.

Very nice Kees

although, and I hope I'm wrong for your sake, I think the SRP policy settings will be ignored because you are running both AppLocker and SRP simultaneously within the same system. I know it works this way when they are enabled within the same domain.

 

I have tested this: AppLocker rules overrule SRP rules, so EXE, COM and MSI are handled by AppLocker, all other executable extensions are handled by SRP. Main reason is that DLL rules with AppLocker seem to have an impact on system performance (on my 2008 low spec dual core).


Sequence of security interaction (according to my testing):

1st: Open File security warning (or block wth 1806 trick): file originating from Internet
2nd: Access Control List: "deny execute file/tracerse folder" generates a deny "Windows cannot access the specified ....etc. "
3rd: UAC (e.g. when deny elevation of unsigned is enabled)
4th: AppLocker
5th: SRP

Who needs third party security when owning an Ultimate Version

 

Have you tried executing scripts? The reason I am asking this because I tried applying Applocker/SRP the very same way you have but upon enabling Applocker, SRP no longer blocks scripts as it should because SRP was supposed to look over script executions and Applocker executables and MSI files, am i missing something?

 

Gobbler, see picture SRP does not prevent other executable formats from running, so I will drop SRP and only rely on AppLocker. Thx

 

I think I have mentioned that before in some other thread (that SRP won't work when AppLocker is enabled)... but no one ever believes me... lol

 

True, you mentioned it. It is not that I don't believe you, I trusted the Microsoft info telling that AppLocker rules overruled SRP rules,

it took some to learn and test thanks to Gobbler,

AppLocker ONLY from now on

 

u r welcome

 

Good to see you got it all sorted, Kees

My thoughts exactly Well, almost...I use EMET and currently Jetico firewall