Problem with Software Restriction Policies (SRP) and Hash-Rules

Discussion in 'other software & services' started by bt6060, Jun 28, 2011.

Thread Status:
Not open for further replies.
  1. bt6060

    bt6060 Registered Member

    Joined:
    Jun 28, 2011
    Posts:
    1
    Hi,

    I have some troubles with SRP. I want to "seal" a System (Windows XP) only with Hash-Rules. I'm using a script, which automatically scans the system for every file (just designated file types), calculate its MD5-Value and creates a key in the registry (HKLM/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/262144/Hashes).

    Then i delete the four default Path-Rules (Windows, Windows/System32 and Program Files), activte whitelist-mode and the SRP-Logging (with LogFileName-Registry Value). With the default SRP Settings everythings works fine. System boots without any problems and all installed and "hashed" Programs are running correctly.

    Then i want to apply srp to software libraries (dll, ocx, ...). My script scans the system and creates for every library a hash-rule. After i activate to control libraries with srp i can't start any program. The following is written to the srp logs (start of wordpad.exe):

    explorer.exe (PID = 664) identified C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\WordPad.lnk as Unrestricted using hash rule, Guid = {08d52797-e9ce-4191-957e-7325e091b96a}
    explorer.exe (PID = 664) identified C:\Program Files\Windows NT\Accessories\wordpad.exe as Unrestricted using hash rule, Guid = {089379a8-2ff4-4c5b-85b4-f86da43d7ad4}
    wordpad.exe (PID = 400:cool: identified \??\C:\WINDOWS\system32\IMM32.DLL as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
    wordpad.exe (PID = 400:cool: identified \??\C:\WINDOWS\system32\MSFTEDIT.DLL as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
    wordpad.exe (PID = 400:cool: identified \??\C:\WINDOWS\system32\RICHED20.dll as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
    wordpad.exe (PID = 400:cool: identified \??\C:\WINDOWS\system32\UxTheme.dll as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
    wordpad.exe (PID = 400:cool: identified \??\C:\WINDOWS\system32\UxTheme.dll as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}


    The libraries (IMM32.DLL, MSFTEDIT.DLL, ...) are listed in the whitelist as hash-rule. The MD5 and filesize of the libraries are correct, but the hash-rule for the libraries are ignored by srp.

    Why srp ignore the hash-rules for the DLLs and use default rule? Are there any restrictions for libraries? Do i have too many hash-rules (about 2200)?

    David
     
Loading...
Thread Status:
Not open for further replies.