Bufferzone ignore Applocker?

Discussion in 'sandboxing & virtualization' started by s23, Feb 6, 2011.

Thread Status:
Not open for further replies.
  1. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Hi I created a thread at Bufferzone forum because of a strange behaviour I'm encountering. I not received a response yet, but I resolved post it here too, since you guys can be aware of and can (if of interest) try to verify if is true.

    http://www.trustware.com/forum/viewtopic.php?f=2&t=3045

    I installed yesterday Bufferzone Pro free in my machine. I noted a behavior and wanna confirm it:

    My current system is a Windows 7 Ultimate x86:
    I'm using a default Administrator account with UAC at max.
    I hardened it with built-in mechanisms:
    - Changed it to autologin through "netplwiz.exe"
    - Changed UAC local policies to "ask for credentials in the secure desktop", to not "detect application installations and automatically prompt for elevation" and to "only elevate executables that are signed and validated" (I tried to copy the behaviour of linux distros with option to autologin - When you wanna do something that require Administrator privileges, it ask for the Administrators password - sudo).
    Enabled Applocker to deny executions (to execute something you need right-click the executable and use "Run as Administrator" - Which ask for the Admin password).

    So the system behaviour is:
    1 - When something try to run (through a drive-by or through "Double click") applocker deny it.
    2 - When you use "Run as Administrator", if the file is signed, windows ask for the Admin password - If not signed (even with correct password), system return a error and deny execution.

    Now after install Bufferzone, when the executable is inside Buffezone, Applocker is being ignored. When I do a "double click" It detect the installation and automatically prompt for elevation and Admin password if the file is signed or already show the error message if not signed.

    The Bufferzone folder (C:\Virtual) is not in my whitelist rules.

    So what's going on? This is a Bug?
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What type of installer? Is it *.msi? If it is, there's a default rule in AppLocker allowing such type of installers to run from every place.
     
  3. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    No not is a *.msi. And this rule it's only for signed ones. I always remove this rule.

    I use the others Default rules with accesschk exclusions.

    When i double-click a exe downloaded inside bufferzone, unsigned files generate directly the error when you try to elevate unsigned files and signed ones ask for Admin password (and I put to not detect installations and automatically elevate and in normal behavior when you double click a executable file applocker deny it). If you move the file outside bufferzone, and double click again, applocker block it normally.

    I'm using Bufferzone with maximum settings to installers and external devices.
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    My system behaviour is (on Vista Business Laptop):
    1 - When something try to run (through a drive-by or through "Double click") '1806' trick to deny it, Right click to remove block and run it
    2 - ACL deny execute of users for data partitions (so still able to run with run as admin).
    3 - Group Policy, deny execute of USB disks and GPO stop autorun
    4 - Run as Basic user of all internet facing programs in Programs Files (this will prevent signed and installed programs to auto elevate) + EMET2 them
    5 - When you use "Run as Administrator", if the file is signed, windows auto elevates only from safe places - If not signed, system return an error and deny execution.

    With BufferZone, it is impossible to remove the '1806' block, so BZ does digg deep into the OS and catches some events which override OS-internal protection mechanisms.

    I would not really worry when I were you, I have tested my setup (with same protection ideas as you use) for six months now, nothing bypasses it (just using Windows FW 2-way).
     
    Last edited: Feb 6, 2011
  5. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Thanks for confirming the behaviour.
    To be true, I'm not concerned regarding security, I'm looking more as a bug report ( at least I think Bufferzone should not act like this). I started looking for something else after reading here about the "Favor" Microsoft did to us with the "By design bypasses" in Applocker reported by Didier Stevens.
    I not think this type of malware should go in the wild... but in this times where you buy "Ready to go Kits" in internet... with VM aware, obfuscations and etc... better safe than sorry. Normally I just use sandboxie free with some shortcuts at taskbar... but how I cannot force to start sandboxed and I'm not the only one using this system... I need something that can ensure isolation. If I not receive a response in Bufferzone forum probably I will use the license I take in the Returnil giveaway and use the multi-snapshot feature since it can be used normally with Grub. Let's see.

    THX again kees and m00nbl00d for the help.

    Take care
     
Thread Status:
Not open for further replies.