AppLocker stopped working ???

Discussion in 'other security issues & news' started by m00nbl00d, Dec 25, 2010.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hello,

    I was going to perform an upgrade to Java in a relative's system, and for whatever reason the installer wouldn't start. I checked Event Viewer, and there was a problem being related. I don't have the error msg right now.

    I was wondering if it had anything to do with AppLocker, somehow. But, no messages in AppLocker section, though. Not for anything, at all. That's odd!

    I say it's odd because, I've been working in this laptop (Windows 7 Ultimate in the last 3 weeks (not everyday and not all time, which is why I'm taking this time). AppLocker was working fine! I know it was, because I had to give permissions to some batch files through which the web browser I installed is started, due to some other restrictions I've set in place.

    I opened secpol.msc, and the rules are as I left them. I haven't been messing with the laptop for a few days, except today.

    I tried to execute HijackThis.exe, which in the standard user account Desktop, and is only started with Administrator rights (standard user account is removed execution rights from places than not Program Files and Windows dir); but, this time I executed it with standard user rights, just to test if I could, and I could! AppLocker is not blocking anything, despite rules are place o_O It just stopped working o_O

    I went to Services, and Application Identity was set to Manual, instead of automatic as I had it set. I set it to Automatic and rebooted the system.

    It then works.

    The only latest software - security related - I installed were both MSE v2 and Sandboxie (one of the latest beta versions). I thought: Maybe one of these made all this confusion, somehow o_O Then again, in my system... no problems? It would be odd, wouldn't you say?

    I still can't get to install latest Java version, though. Monitoring Process Explorer, I can see that the installer process is initiated, but then it just dies. I did install this newest version in another relative's system just fine o_O So, not a corrupted installer.

    Anyway, my "issue" here is not Java, though. I'll try to search info about the error, as soon as I can.
    My issue is with AppLocker - Why did it stop working, all of a sudden, due to Application Identity being set to Manual, in some magical way o_O

    This teaches me a lesson, though. Just because AppLocker is enabled... don't believe it's protecting you... not blindly. Always make sure it is working.
     
    Last edited: Dec 25, 2010
  2. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: [I hope this is the proper place] AppLocker stopped working o_O

    Yes, I remember that. I replied there. :)

    That doesn't explain why AppLocker service was set to manual, when I had it set to Automatic, and 100% sure it was like that, because I had to set some permissions for certain things, including some batch files, which I was modifying in the first moments to get them as I wanted; hence having to update the hash rules in AppLocker as well. It was working fine... but in some magical move it stopped.

    The more I use Windows own security mechanisms, the more I'm inclined to stop using them... seriously.

    Days ago it was a problem with my Windows firewall rules that got automatically created, related to network discovery... later I found out it was because the computer was capturing the signal of somebody's wireless connection... The freaking firewall just creates rules, like that? lol
    Anyway, this is off-topic. :)
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Please don't mind me adding in with an issue that I faced...

    I'm running AppLocker with MrBrian's ruleset, except for that I removed the "Allow Everyone to run all Windows Installer files in %systemdrive%\Windows\Installer folder" rule. Yet, surprisingly I can still run some .Msi files as a standard user, which then launches an installation GUI. Halfway though, UAC would kick in and ask for my credentials. Arguably, not all is lost as if I just click cancel, the installation stops/ends.

    However, it's not comforting...I'm so far used to how SRP treats it - a simply deny outright without any prompts. I don't know if AppLocker is designed that way and have yet to verify what's wrong with my setup that allows such a behavior..

    If someone can enlighten me, it'd be good.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You do make a good point/raise a good question. I actually mentioned that at AppLocker thread.

    I did remove the same rules as you did. So far, I haven't noticed any *.msi installers being able to install. *.msp are able, though... But, only if you already have an application already installed. For example, Adobe Reader patches have the extension *.msp... so, even with AppLocker without that rule, it still installs. I believe that - and I haven't researched about it, yet - *.msp will interact with the already installed application - in this case, Adobe Reader - somehow.

    Is it with *.msp installers that you faced with such allowing behavior? Or, is it, in fact, with *.msi installers also?

    -edit-

    Actually, I didn't remove the rule you mention. I confused with one other that allows installation of *.msi and *.msp from other places than not the one you make mention and the one for the Administrator.
     
  7. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Actually, I didn't initially removed that rule but only after I've observed the strange behavior. It still didn't affect how things are as far as I've seen. I've placed the rule back.

    And yes - it's .msi and are installers of already installed programs but if I remembered correctly, I did face 1 or 2 which weren't and I might have removed them. Can't remember exactly seeing it's been a week past or so..
     
  8. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Sorry. Bumping this post because I believe it went unnoticed by the rest of Windows Hardening gurus here.:p
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I tried running a .MSI as a standard user from a folder that shouldn't be allowed to run .MSI, and it was blocked outright.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What rules regarding Windows installers have you got? There are 3 predefined rules:

    Allow; All; Every Windows Installer files in %systemdrive%\Windows\Installer
    Allow; BUILTIN\Administrators; Every Windows Installer files
    Allow; All; Anywhere else *

    * I don't remember this one 100%, as I have it deleted.

    This rule allowed/would allow standard users to install *.msi packaged applications to user-space. I had to remove it.

    The only Windows Installer packages that still install, regardless of this rule being deleted are *.msp, but only if this will patch an already existing application; just like Adobe Reader. I still dislike it, though. :D
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I have the first two rules, and also deleted the other predefined rule.
     
Loading...
Thread Status:
Not open for further replies.