No Applocker audit error entry in event viewer

Discussion in 'other security issues & news' started by exus69, Dec 28, 2012.

Thread Status:
Not open for further replies.
  1. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Hello everyone,

    I do not see any Applocker error entries for exe/dll files in Event Viewer(event Id: 8004). Although they do appear for MSI and Scripts (event ID: 8007). This is important to know which unwanted executables were tried to run without the admins
    permission.

    I've setup Applocker with the default path rules and MrBrians exceptions.

    Please help
     
    Last edited: Dec 28, 2012
  2. Marco Peretti

    Marco Peretti Registered Member

    Joined:
    Jan 24, 2013
    Posts:
    3
    Location:
    Italy
    I know this comes very late, but I've decided to answer it anyway hoping it may help other running into the same problem. We blogged about it a while ago but it basically boils down to:


    1. The Application Id service must be running, which is not the case by default.


    2. The AppLocker Executable rules property must be set to "Configured", and either "Enforce Rules" or "Audit Only" selected.


    3. At least a Publisher, Hash or Path rule must have been created.
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    4. No unauthorised EXE/DLL was executed. (It's also a possible situation. :D)
     
Loading...
Thread Status:
Not open for further replies.