Need help with AppLocker

Sorry for the large file size. I automatically generated these rules for my AppData folder. I want to deny execution except for what's already there.

I can't run anything from the %HOT%, which is actually J:\ (it replaced it on its own with %HOT%) ie: My RAMDisk. But I can still run chromium from the AppData folder.

 

What file? Forgot to upload it?

 

Yes, yes I did lol one sec. I'll edit the first post.

 

OK. So, you want to deny execution from AppData folder, except what's specified in those rules?

And, what are you experiencing instead? Can you still execute anything else from AppData, is that it? What I mean is, what did you mean when you said I can still run chromium from the AppData folder? Are you referring to the actual Chromium browser, which there are no allowing rules?

-edit-

What are those Hash rules for? Are they for Google Chrome or Chromium? If they're for Chromium, then it's going to be allowed excution, of course.

 

Basically, I created a bunch of allow rules that you can see there. Those allow rules are for specific hashes as well as specific certificates.

I can't execute Chromium from my %HOT% folder - it worked there. It just doesn't start.

I then tried executing Chromium from my AppData folder (I just dragged teh chromium folder into appdata) and it runs fine.

I want nothing but what I allowed with those rules to run in AppData.

EDIT: OK, I just tried running Minecraft.exe from %HOT% and it ran... so I guess Chromium was just screwing up in the RAMDisk.

So none of these are working lol

 

OK! Sorry for misunderstanding you. I thought you wanted to deny Chromium... which would be impossible with the allowing rules.

So, you want to allow from the %HOT% (the RAMDisk). AppLocker is preventing it. I get it now.

Did you make sure you also created the DLL rule? Just in case.

 

I didn't create any DLL rules. I think there are DLLs in the User_Data folder (pepper flash?) and AppData.

I want no execution from HOT at all - all that's in there is my USer_Data folder.

I want no execution from my AppData folder except for a few publishers and hashes.

So I did a bunch of allow rules for those things and I figured everything else would be denied... and yet I can run minecraft and chromium from both folders.

 

So.. I was right. lol If you want no execution from %HOT%, at all, then why the heck did you create an allow rule? You are allowing execution from %HOT%.

If you want to deny execution from %HOT%, then you must create a specific rule denying execution from %HOT%. You can't create an allow rule.

-edit-

Be aware that, if you ever need to execute something from an USB flash drive, then you either need to create rules for those files or create a folder in your system where you allow execution temporarily. lol %HOT% will apply for any USB flash drive, because you'll be creating a Path rule.

 

-edit-

On the other hand, the rules for AppData should make those apps work, and everything else gets blocked.

 

I was trying to create an allow rule for Path that had no exceptions lol I figured it woudl allow nothing >_>

Actually I managed to deny execution from hot with SRP and I applied "Disallowed" to the path.

edit: Oh, also. I tried using SRP to run Chrome Canary's .exe as a basic user. It says it's blocked by an adminsitrator when I try to run. Any ideas? This isn't a big deal I was just curious.

 

Well, I don't know who you've talking to , but an Allow rule means what it means: It will allow.

So, when you create a specific rule allowing something, it will be allowed, and not denied.

It makes sense... With AppLocker you created an Allow rule and with SRP, you created a rule as specifying Disallowed. Do you note the difference?

I never used SRP with Windows 7, but I thought that SRP Basic User setting didn't work with Windows 8 either? SRP doesn't work in Windows 7 as it worked in Windows Vista. I got some vague memory about it. I actually remember reading somewhere that applying a Basic User in Windows 7 SRP, it would work as a deny rule. I suppose it works the same way in Windows 8 as well.

 

By the way, I was going to let you learn on your own... ... but, be aware that what you trying to achieve with Deny execution from AppData folder, exception to publisher and hashes, it simply won't work as you would except it to work.

When you create a Publisher or Hash rule, the rule will stick regardless of the path. So, if any piece of malicious code gets to your system and happens to be using a stolen digital signature, matching those you allow, then it will execute regardless of where it is.

A Publisher rule implies you allow execution, if it matches any of the allowed digital certificates. Regardless of where the file is.

When it comes to Hash rules, well... if you move your executable around, for example, then you can still execute it.

I didn't explicitely mention it before, but I implicitely mentioned it with On the other hand, the rules for AppData should make those apps work, and everything else gets blocked.

Which is what I meant with the rules for AppData should make those apps work - provided there's a matching rule to allow execution, regardless of the path.

 

Aha... well that explains a lot.

 

I'm glad I could be of some assistance.