Applocker doesn't work!!!

Discussion in 'other software & services' started by Arcanez, Feb 11, 2012.

Thread Status:
Not open for further replies.
  1. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    hey guys,

    i'm pretty frustrated cause I tried to configure Applocker on two different rigs here and didn't have success. It just doesn't do anything...tried on a win7 x64 and a win7x86 machine but it didn't work and I don't get it...

    I set the application identity service to "automatic" and "started", configured applocker with gpedit.msc, added all the standard rules to executables, installer, scripts and DLL's, everything enforced, UAC maxed out, rebootet several times and tested with standard account users. It's ridiculous, I created a rule under "executables" that denies "users and groups" from executing "Ccleaner". For that rule I chose "Publisher" and denied every signature that comes from Piriform just as a test.

    Then logged back to my standard account user and guess what, Ccleaner started just fine, I really don't get the point....

    Need some help please, whats going on here?!!
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    I really just suggest using software restriction policies (SRP) instead, as I have never had it fail. I am sure there are ways for a determined and intelligent individual to circumvent it, but that is true of anything, and probably more true of Applocker.
     
  3. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    under "executables" there is one standard rule that allows "everyone" to run everything in the programs folder. Again just to test it out I made an exception rule for this that "Ccleaner" is not allowed to run but everything else.

    It just doesn't apply it seems, Ccleaner again started fine under my standard account user. I just want to understand it!!!!!!!!!!!! GRRRRRRRR
     
  4. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Post screenshots of your rules
     
  5. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    I just have the standard rules for "executables", "windows installers", "scripts", "DLL's", these were created automatically.

    Just modified one standard rule for testing purposes. It was an executable rule that allows everyone (standard users, groups) to run "everything" located in C:/program files....... I just added exclusion to that rule that the following path is NOT allowed to run by standard users, groups ( C:/Program Files/Ccleaner/Ccleaner.exe)

    Logged back to my standard account then and started ccleaner without any problems and now I want to know WHY Applocker didn't prevent that like I configured....
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,787
    Follow the guide here: http://technet.microsoft.com/en-us/library/dd723686(WS.10).aspx

    After you created your rules and started the service etc, did you open a command prompt (as administrator) and run 'gpupdate /force'? You also have to tell it to enforce the policies...

    If you follow all the steps in the link above, everything works fine....
     
    Last edited: Feb 11, 2012
  7. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    just created a DENY rule under the executable tab, that clearly denies execution of C:/Program Files/Ccleaner/Ccleaner.exe for EVERYONE. Then spammed gpupdate /force in my command prompt run with admin privileges and got like 80 messages that the command was successful, then rebootet and logged on my standard account, started ccleaner just as usual.........

    Seriously is this applocker a joke by microsoft??

    If it only was that simple as demonstrated in this video....It's ridiculous how the speaker talks like it's so damn easy to configure...
     
  8. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    Did you enforce the rules?
     

    Attached Files:

  9. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    ofc I did
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    So, just to see if I'm understanding, you created the predefined set of rules, which will allow execution from Program Files and Windows, and then created a different rule to prevent CCleaner's execution. Is that it?

    How did you create that rule? It would help a lot if you could up load some images.

    But, you cannot create a separating rule denying execution. Not like that. You can generally create an exception rule within the rule that allows execution of executables. But, you cannot exclude specific users or groups.

    You could create a GPO for that task.
     
  11. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    thats exactly what I did after the first testing, I added CCleaner as an exception to the execution allow rule for standard users. So this basically means that users are allowed to run everything inside C:/Program Files except for CCleaner.

    But like I said I was able to run Ccleaner as a standard user although I created that exception....

    Also I don't think I'm doing anything wrong...
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't know what to tell you. I just applied an exception rule to prevent CCleaner from executing, and AppLocker successfully prevented execution.

    It truly would help if you could provide some screen shots of those rules. Maybe there's something else we're missing.
     
  13. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    my operating system is german therefore I don't know if screenshots would be helpful. I mean it's just the standard rules with that ccleaner exception, nothing else...
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    My best advise would be to stop enforcing all the rules and remove them. Reboot your system, and then reapply them - including the exception rule. Reboot. See if AppLocker successfully prevents CCleaner from executing.
     
  15. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    I removed all of the predefined rules, removed the checkmarks for enforcing the rules then rebooted and created the standard rules including that exception again, picked "enforce rules" and rebooted again. Logged on my standard account but was able to run CCleaner again...

    I think Applocker is broken for me on my 2 machines....
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Do you have AppLocker's service Application Identity set to start automatically? Verify if it is, just in case.

    Otherwise, you probably could have a corrupted Windows install? Try to run SFC by using the /scannow parameter. See more at this link -http://support.microsoft.com/kb/929833

    -edit-

    Also make sure your Windows is up-to-date. There could be a bug with how AppLocker handled Publisher rules (o_O), and that's why it's not working in your systems. Other than this, I'd suggest you get in touch with Microsoft support team, by going to Microsoft's forum. It would be your best bet, as for sure they will be more prepared to help you figure out what's wrong.

    It's odd that it happens in the 2 machines.
     
    Last edited: Feb 12, 2012
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Just one question. If you try to execute something from a non-allowed location, can you execute?

    -edit-

    Also, at first I thought you were trying to achieve something else, which would require you to use GPOs, but you can also create a specific denying rule.

    So, if we have under consideration you got the default rules created, allowing execution from Program Files, you can create a separate rule blocking execution of a given Publisher, Hash or Path, within Program Files, etc. Either way works: exception rules or separate rules.
     
    Last edited: Feb 12, 2012
  18. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    AppIDSv is running.

    Ran the command and it repaired some files, but tried Applocker after that and still it doesn't work.


    I chose path rule for that CCleaner exception/Deny Rule.

    deleted the standard allow rule for everything inside C:/Program Files and created a Deny Rule for CCleaner. But still CCleaner is running just fine.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I just tried, and AppLocker blocks CCleaner execution, regardless of being Publisher, Path or Hash.

    What I meant was if you could execute something outside of Program Files/Windows.

    Apply the default rules, and then download -http://public.avast.com/~gmerek/aswMBR.exe

    Place the executable in your Desktop. Run it and see if it executes. Execution should be blocked by AppLocker; if it isn't, then there's clearly something wrong happening in both your systems.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. Let's try the following approach. I noticed you used Gpedit.msc to apply your rules.

    1. Stop enforcing the rules;
    2. Remove all rules;
    3. Stop Application Identity service;
    4. Reboot;
    5. Open secpol.msc, instead of gpedit.msc;
    6. Apply the default rules;
    7. Enforce the rules;
    8. Enable Application Identity service;
    9. Reboot;
    10. Apply the exception rule for CCleaner;
    11. Reboot;
    12. Run CCleaner and see if execution is blocked.
     
  21. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    didn't work, CCleaner again runs fine. I don't get it, there must be an explanation why it doesn't do anything...
     
  22. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Since it hasn't been explicitly noted..., you are running Win 7 Ultimate, correct?
     
  23. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    yep.....
     
  24. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I don't have Ultimate and therefore don't use Applocker, but the behavior sure has the flavor of a precedence issue, even though my quick read on the Micosoft site is that a specific deny rule should always take precedence.
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Open eventvwr.msc with administrator rights. Open the tab Services and Applications Logs. Something like that. Obviously, yours will be in German. :D

    Then, go in Microsoft > Windows > AppLocker > EXE and DLL

    Run CCleaner again (make sure you still have either the deny or exception rule). Refresh Event Viewer, by going to Action > Refresh.

    You should see an event log for CCleaner. What does it say?
     
Loading...
Thread Status:
Not open for further replies.