Applocker with DLL Rules

Discussion in 'other anti-malware software' started by Joeythedude, Jan 4, 2012.

Thread Status:
Not open for further replies.
  1. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Hi

    Was wondering if anyone uses Applocker with DLL Rules enabled.

    Did you notice any performance impact or do any performace testing ?

    As an aside - is there any way to copy the publisher rules from the exe section to the dll section ?

    Cheers
    Joe
     
  2. wat0114

    wat0114 Guest

    Yes, I use DLL rule coverage, with no noticeable impact on system performance. I don't think you can copy publisher rules over, but it's easy enough to referencce a file with the publisher you're looking for when creating the rules, by using the slider control in the rule configuration process.

    I haven't done anything too special with DLL rules, primarily using the default Microsoft Windows DLLs path rule: %Windir%\* and the All DLLs located in the Program Files folder path rule: %Programfiles%\*

    It was, however, necessary to create some other customized Publisher rules (you could use hash or path but Publisher is best) for DLLs launching in non-protected (User) directories, as well as a path rule for Unity webplayer that covers all users, as you can see in the screenshot.

    To make things easy on yourself when things might not work right because of a required rule, please see this thread.
     

    Attached Files:

  3. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    I also use Applocker with DLL rules and the performance loss is minimal. You won't notice it. My DLL rules are slightly different that wats as I am using Mr. Brian Ruleset but a similar approach for creating customized rules for 3rd party DLLs where needed.
     

    Attached Files:

  4. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Thanks very much.

    Really appreciate the screenshots.

    Few more questions

    I play a fair few games like skyrim and black ops - so wonder if you've see every seen a performace loss with games or graphics programs?

    Are those your full list of dll rules ?

    I auto-generated the Exe rules with publisher hash and ended up with a lot of hash files.
    Are those path rules a bit more risky as I run under an Admin a/c ?


    Thanks again
    Joe

    edit - found the post about alerts already - they all set up and ready to go !
     
  5. wat0114

    wat0114 Guest

    Yes, they are my full list of DLL rules. As for games, only CoDWaw has been played on this pc before (not currently), and no problems occurred with it.

    As long as you run as Protected Administrator (PA) you should still be covered, because you will run with Standard user rights, as long as you don't elevate anything to Administrator level.
     
  6. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Well I've played Oblivion & Street Fighter V on my laptop without issues. They should be no performance loss with games, etc. What wat said also applies to me as well, that is my full list of DLL files. Make sure you set UAC to max (Always notify). Another thing I would do is grab the hotfix for applocker http://support.microsoft.com/kb/2532445 so you can fix an exploit Applocker has.
     
  7. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Thanks thats good to know.

    I have UAC set to Max .
    Does that make me a Protected Admin ?
     
  8. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Yes it does.
     
Loading...
Thread Status:
Not open for further replies.