Problem with Software Restriction Policies (SRP) and Hash-Rules

Discussion in 'other software & services' started by bt6060, Jun 28, 2011.

Thread Status:
Not open for further replies.
  1. bt6060

    bt6060 Registered Member

    Joined:
    Jun 28, 2011
    Posts:
    1
    Hi,

    I have some troubles with SRP. I want to "seal" a System (Windows XP) only with Hash-Rules. I'm using a script, which automatically scans the system for every file (just designated file types), calculate its MD5-Value and creates a key in the registry (HKLM/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/262144/Hashes).

    Then i delete the four default Path-Rules (Windows, Windows/System32 and Program Files), activte whitelist-mode and the SRP-Logging (with LogFileName-Registry Value). With the default SRP Settings everythings works fine. System boots without any problems and all installed and "hashed" Programs are running correctly.

    Then i want to apply srp to software libraries (dll, ocx, ...). My script scans the system and creates for every library a hash-rule. After i activate to control libraries with srp i can't start any program. The following is written to the srp logs (start of wordpad.exe):

    explorer.exe (PID = 664) identified C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\WordPad.lnk as Unrestricted using hash rule, Guid = {08d52797-e9ce-4191-957e-7325e091b96a}
    explorer.exe (PID = 664) identified C:\Program Files\Windows NT\Accessories\wordpad.exe as Unrestricted using hash rule, Guid = {089379a8-2ff4-4c5b-85b4-f86da43d7ad4}
    wordpad.exe (PID = 400:cool: identified \??\C:\WINDOWS\system32\IMM32.DLL as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
    wordpad.exe (PID = 400:cool: identified \??\C:\WINDOWS\system32\MSFTEDIT.DLL as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
    wordpad.exe (PID = 400:cool: identified \??\C:\WINDOWS\system32\RICHED20.dll as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
    wordpad.exe (PID = 400:cool: identified \??\C:\WINDOWS\system32\UxTheme.dll as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
    wordpad.exe (PID = 400:cool: identified \??\C:\WINDOWS\system32\UxTheme.dll as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}


    The libraries (IMM32.DLL, MSFTEDIT.DLL, ...) are listed in the whitelist as hash-rule. The MD5 and filesize of the libraries are correct, but the hash-rule for the libraries are ignored by srp.

    Why srp ignore the hash-rules for the DLLs and use default rule? Are there any restrictions for libraries? Do i have too many hash-rules (about 2200)?

    David
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.