More AppLocker oddities

Discussion in 'other security issues & news' started by m00nbl00d, Jun 6, 2011.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Background info: I made a relative of mine use Chromium (low integrity level applied). I also installed AVG LinkScanner (including Chrome extension).

    Until a few days ago, everything was working fine (ever since the Google Chrome extension was provided by AVG). My relative could see LinkScanner ratings in Google search engine.

    But, a few days ago, LinkScanner would no longer display ratings. First, I thought it could be a bug with Chromium making it conflict with extensions, so I waited to see if following builds would fix it, and if not report it as a bug.

    I thought that it could be a messed up profile and all that, so I deleted Chromium's profile and made a new one. Same deal.

    Today, something came to my mind: I've deployed AppLocker and with DLL enforcement. Guess what? I never had created rules allowing the DLL files that LinkScanner Safe-Search extension created in Chromium's profile folder!

    Wait a minute! So, how was LinkScanner showing ratings (before it stopped showing them) for weeks!, without AppLocker rules allowing the needed DLLs?

    AppLocker was malfunctioning, that's for sure. Was LinkScanner making use of those bypassing flags Didier Stevens talked about? Maybe... I saw another user mentioning Microsoft was going to provide a fix for those flags. Was it already provided? I don't remember any update about that. o_O

    If not related to that... What the heck happened? :doubt: Any ideas? lol
     
  2. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Applocker can definitely get "weird". Once I had it blocking teamviewer and a few other pieces of Software for no apparent reason. There was no "blocked" message in the Applocker logs, and only "allowed" messages.

    I ended up having to remove all the rules, reboot, then re-engage them, then reboot again. After that everything worked fine..
     
  3. wat0114

    wat0114 Guest

    Almost without exception I'm able to find and resolve the root cause of any applocker anomalies, usually a logical reason at that, but a recent one with a CoD user directory rule was a compete mystery to me. No matter what I did applocker kept blocking, even though I saw no reason for it to happen. The game has to be run as administrator from the user account to work properly.
     
  4. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    AppLocker was blocking Firefox 4.0.1 from launching within Avast's sandbox. Yet if I remove Firefox from Avast's Virtualized processes list...open and use Firefox for a short while (unsandboxed)...then place Firefox back on the Virtualized processes list...Firefox runs just fine until I do a reboot. Then I'm back square one (Firefox being blocked). AppLocker does seem to have its inconsistencies. I personally prefer SRP myself, but after reading a thread about Microsoft placing a "backdoor" bypass of AppLocker and SRP within Win 7 I honestly don't feel safe using Windows now.

    Later...

    Bob
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Are these more AppLocker oddities... or not really?

    Back on Chromium/Chrome and AppLocker. As you know, Chromium/Chrome's extensions are coded in JavaScript.

    AppLocker blocks scripts outside Program Files and Windows folders. Admins can run them without restriction.

    Chromium's extensions are installed in the user space, so by default they should be blocked.

    I don't think simply having Chromium/Chrome as an allowed application whitelists the *.js files belonging to the extensions, does it?

    If it doesn't, then why are extensions working without issues? No *.js files are being blocked, at all.
    Assuming that simply running Chromium wouldn't whitelist such scripts, why isn't AppLocker blocking the scripts?

    I even created a specific rule blocking the extensions folder, which should take precedence over allowing rules (if that would be the case with Chromium whitelisting the scripts).

    Any thoughts? Is this one more way AppLocker should not be behaving like?


    Thanks
     
Loading...
Thread Status:
Not open for further replies.