Anybody else experiencing this AppLocker issue?

Discussion in 'other security issues & news' started by MrBrian, Oct 5, 2014.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    OS: Win 7 x64.

    Issue: Once in awhile, AppLocker blocks a program that it shouldn't be blocking. For example, yesterday it blocked my PDF reader when I tried to open a PDF. Rebooting always solves the issue. This first started happening within perhaps the past 4 to 8 months or so.

    I haven't researched this issue elsewhere yet.
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I haven't noticed this yet, MrBrian, although I don't use my Win7x64 machine that often these days. Have you checked to see if the Application Identity service is running when this happens?
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thanks wat0114 :). I didn't check that. I believe if that service isn't running, there will be no AppLocker enforcement at all?

    I'm wondering if EMET is somehow causing this, because it seems the only affected programs are those that have EMET mitigations.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Opps...yes you are right. I got that backwards :confused: so I doubt that's the problem. maybe it is EMET causing the problem. I know I've had to disable some mitigations, can't remember which, to get some applications working properly, but I know there wasn't anything causing AppLocker to block when it shouldn't.

    Actually, did you check the Event Viewer logs? i think it's under Application and Services Logs\Microsoft\Windows
     
    Last edited: Oct 5, 2014
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I just checked the AppLocker logs. I don't see any AppLocker event corresponding to the program that was blocked last night, so maybe AppLocker isn't causing the problem. When the issue occurs, I get a "blocked by group policy" message, which I'd (perhaps wrongly) assumed was because of AppLocker.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The issue happened again. This time there was an AppLocker block event in the event log. I also noticed that "Microsoft EMET Service" was not started when this happened.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Did the block event match exactly the rule it corresponds to? I guess you are using Path rules?
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes and yes.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Well that is really puzzling AppLocker is blocking randomly like that, and a re-boot somehow fixes the problem.

    Do you have the rules apply to the "Everyone" group or something else, such as "Users"? Not that this should really matter.
    Also, have you modified security permissions on any of your main directories such as Program Files or Windows?
    Does the block message look like the attached?
     

    Attached Files:

  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    My ruleset is still similar to https://www.wilderssecurity.com/threads/anyone-running-applocker.272761/#post-1679077. I haven't made any ACL changes on folders Program Files or Windows lately that I can recall. The block message is indeed that one.
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I'm practically at a loss for ideas now. It makes no sense o_O

    Just one more, although it seems unlikely...is Software Resttriction Policy somehow enabled? It should be overruled by AppLocker policy anyway even if it is enabled. I seem to remember you experimenting with Powerbroker a while back as well. That isn't somehow enabled and conflicting is it?
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    SRP isn't enabled. I installed PowerBroker only on a virtual machine, not on the real machine having this issue.
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    The only idea I have now is maybe export your policy, clear the policy, re-boot, then re-enable Applocker and import your policy. Or maybe first try the basic Defaults and see if that works, and if so then try your policy? Otherwise I'm completely flummoxed.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Maybe I could try that. The weird thing though is that the program that was blocked worked fine earlier in the same session.
     
Loading...