Applocker

Discussion in 'other anti-malware software' started by Paul R, Aug 29, 2014.

  1. Paul R

    Paul R Registered Member

    Joined:
    Aug 5, 2014
    Posts:
    48
    Location:
    Bury, Lancashire
    Hi,

    I'm going to set up Applocker over the weekend on windows 8.1 (not on a domain), any chance someone can give me examples of what their set up looks like please?

    I just don't want to set up my system & find I'm leaving key areas unprotected.

    Thanks,

    Paul
     
    Last edited: Aug 29, 2014
  2. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Last edited: Aug 29, 2014
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    It can get a bit tricky with some dll's and executables running from user space especially...

    Code:
    %OSDRIVE%\USERS\*\APPDATA\ROAMING\ADOBE\FLASH PLAYER\NATIVECACHE\*\*\ADOBECP*.DLL
    Code:
    %OSDRIVE%\USERS\VMWARE7-TEST\APPDATA\LOCAL\TEMP\*.TMP
    ...just as a few examples.

    You can run AppLocker for a while in "Audit" mode, then check the Event viewer logs at: Application and services logs - Microsoft - Windows - Applocker and look for entries of what would have been blocked then create whatever type of rule (Publisher (if possible), Hash or Path) you want for it. Keep in mind Hash rules can be higher maintenance, especially if the executable/dll changes frequently.
     
  4. Paul R

    Paul R Registered Member

    Joined:
    Aug 5, 2014
    Posts:
    48
    Location:
    Bury, Lancashire
    Many thanks for the replies, I'll have a play tomorrow night.

    I've also just looking at the Cryptoprevent rules that are currently on my system, would it be worth copying these rules into Applocker or are the amount of rules overkill? plan is to remove Cryptoprevent when Applocker is fully set up as i presume some could clash?
     
  5. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    You are welcome.
    I have not used Cryptoevent before, so I am not sure if you can copy its rules directly to Applocker, but I don't think there is such a need. With Applocker+LUA+EMET+antivirus with decent HIPS (such as Kaspersky IS), I am pretty sure your chance of being infected by cryptoware is practically zero.
     
  6. Paul R

    Paul R Registered Member

    Joined:
    Aug 5, 2014
    Posts:
    48
    Location:
    Bury, Lancashire
    Cheers Oliverjia, I have all them

    You can't copy the rules but it does list them, all 167 of them :( i guess it just a set & forget thing, where as Applocker is tailored to however the user wants to run his system.

    I'm happy you mentioned you can export the settings as that was one i had marked down for a follow up question.
     
  7. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    There are 4 categories of rules in Applocker, which means files with the below extensions will be blocked if they want to run from individual User's directory unless you set exceptions:

    1. for executibles such as .exe and .com;
    2. for MSI installers such as .msi, .mst and .msp;
    3. for scripts such as .vbs, .js, .ps1, .cmd, .bat;
    4. for packaged apps/installers such as .appx.

    There is 1 advanced rule: DLL rule, which normally there is no need to enable. If you don't enable dll rules, I don't see there is a need to set exceptions for .DLL or .TMP, unless the app in user directory want to run the some files fall into the above 4 categories.

    Correct me if I am mistaken.



     
  8. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    I see. Sorry for the confusion, what I meant was if you export the rules you've set up from the Applocker MMC snapin, then you can import these rules into the Applocker MMC snapin on a new computer with Windows 8/8.1 Enterprise or Windows 7 ultimate/Enterprise in a few clicks.

    Applocker is also set and forget - unless you want to install new programs that installs to non-standard installation directories such as the users directory, in which case new rules will have to be set to allow the program to run from user's directory. I know Dropbox is one of this kind of programs, so you'll have to set new rules to allow dropbox to run from your user directory. But that'll only takes a minute to do, and after that you are done. But if the program installs to system Program Files folders, then there is no need to change Applocker rules, it;ll be allowed to run by default.

    Oh, I think you can forget about the Cryptoevent rules. Don't worry about them. Applocker and the rest of security measures I mentioned will harden your OS to the same level if not higher.
     
    Last edited: Aug 29, 2014
  9. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    There are already many valuable threads in this forum regarding Applocker, but unfortunately its in regards to Windows 7. I would love to know what has changed in terms of rules from Windows 7 to Windows 8 regarding @MrBrian ruleset, i highly recommend these threads to either recap or implement applocker.

    Mr Brian ruleset;

    https://www.wilderssecurity.com/threads/anyone-running-applocker.272761/#post-1679077

    The following thread details how to get notification alerts;

    https://www.wilderssecurity.com/threads/create-an-instant-applocker-event-alert.306861/

    and, the following describes possible bypasses in Applocker that needed to be patched via a KB2532445 (windows 7);

    https://www.wilderssecurity.com/threads/applocker-feedback.357986/

    IMO Mr Brian's ruleset was genius at the time. Not sure how relevant it is to Windows 8. You still might need custom dll, or publisher rules to make everything compatible on your PC.

    Once again, anyone please shine in to describe the differences in implementation of applocker from windows 7 to windows 8.

    regards
     
  10. guest

    guest Guest

    JFYI, to view if certain folders are user-writeable, we can use AccessEnum.
    http://www.softpedia.com/get/System/File-Management/AccessEnum.shtml
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Correct, there is no need to enable it, but it will certainly afford increased security, although at the expense of some more overhead when AppLocker checks the rules:

    -http://technet.microsoft.com/en-us/library/ee460947(v=ws.10).aspx

    ...and:

    -http://technet.microsoft.com/en-us/library/ee460950(v=ws.10).aspx

    Honestly, I have tried the setup with and without DLL enforcement and I don't notice any perceptible performance degradation with it enabled.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I'm not sure either, since I'm still using Windows 7.
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    You just have to scroll down about half ways to see the differences:

    -http://technet.microsoft.com/library/hh831440.aspx
     
  14. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    Thanks for that, the guts of it is pretty much the same except for .mst and .appx. Who knows how its implemented though. Looks like you still need the enterprise version to enforce Applocker. Pro version can only create the policy. So i hope @Paul R is using this version befor he wastes his time.

    "Please be clear in the "Applies to" section, that Windows 8/8.1 Enterprise license/SKU is needed for AppLocker policies to be applied/enforced. Pro-edition is not enough!"

    regards
     
  15. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Many thanks man for sharing your experiences with DLL rules:thumb::thumb:.
    Yes the performance and potential interruption of loading programs are the major concern for dll rule. I normally don't enable it.

     
  16. Paul R

    Paul R Registered Member

    Joined:
    Aug 5, 2014
    Posts:
    48
    Location:
    Bury, Lancashire
    Thanks everyone for the replies, I'm all set up using Mr Brian's ruleset, thanks @TS4H

    Set Alerts from any blocks
    Enabled DLL (Audit Only) & created a custom view in event viewer to monitor Applocker, all being well I'll change DLL from Audit to Enforced.
    Enabled all users to run software from a specified folder on another drive

    @oliverjia you mention your 3 exceptions are for registry editors, i am aware of regedit but the other one is? Would leaving these exceptions out create a security hole for malware to exploit? as i do tend to dip in & out of Regedit quite frequently and have Regedit on my right click context menu (not as admin unfortunately).

    In @TS4H post he showed a link for displaying messages which no longer applies to 8.1 as Microsoft has apparently removed the ability to show messages that easily. found a work around here,

    http: //www.askvg.com/fix-cant-create-tasks-to-display-messages-in-windows-8-task-scheduler/

    Thanks Again,
     
  17. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Dear Paul,

    My intention of disabling regedit, regedt32 and cmd.exe was to mainly block other users with LUA from accessing these tools... I don't think leave these out will create security holes. Others feel free to correct me if I am mistaken.

    regards,
    oliverjia
     
  18. Paul R

    Paul R Registered Member

    Joined:
    Aug 5, 2014
    Posts:
    48
    Location:
    Bury, Lancashire
    Thanks oliverjia, I'll leave them as is then as the kids only use it for the internet, i have enforced DLLs now and seen no performance hit or any issues so far (touch wood), also sampled Shadow Defender after seeing you mention it on another thread, must say it's a nifty bit of software.
     
Loading...