Software Restriction Policy vs Antiexecutable

Discussion in 'other software & services' started by sukarof, Jan 14, 2008.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    No, because your previous tests never launched any code in the non-standard extension file, whether SRP was on or not, right?. Thus, you didn't test SRP. My script actually launches the code contained in the file with the non-standard extension.
     
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    No, process explorer did run.
    Your script does show a more concrete example.
    The cmd example (not my idea, it's from the dslr thread) will just show how extensions can be deceiving when we're not talking about explorer.exe as parent, and that SRP doesn't work by extensions, for executables.

    BTW, thank you for the script again :)
     
    Last edited: Jun 19, 2008
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I have more good news about SRP!

    I tested if SRP defends against scripts with non-standard extensions. I renamed a VBscript file to extension .jnk. I then used the following Run command: wscript /e:vbscript "c:\temp\test.jnk"
    SRP prevented it from running, with a message that Windows Script Host failed due to SRP! When I moved the script to \Program files and altered the Run command accordingly, the script ran. All these are the results I hoped for.
     
  4. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    @mrbrian

    great! thank you for these tests :thumb:
     
  5. tlu

    tlu Guest

    Thanks for your tests! So it seems that (so far) SRP is rather impenetrable. Good to know.
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    VBS is part that group:
    So perhaps anything in this group works like that. One question remains (for now), what else is included, besides library, executable and vbs.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :)
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I modified my post #105 with new info. SRP probably doesn't handle scripts for 3rd-party scripting languages that might have been installed, such as Python. This should be tested though.
     
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    "if the other program does not enforce software restriction policies itself" it should only be blocked per extension, and only when launched with explorer and iexplorer.
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Very, very informative exchanges and comparisons but ommitted out of this discussion, what about FOLDERS which include executables, for example, running a desktop program within a dsktop folder.

    Is this at all possible and what are the proper entries in SRP to bypass at least this particular SRP restriction, is it at all possible or is SRP strickly locked to file extensions only, which can present a problem so far as accessibility needs are expected from these, in this case, a simple desktop folder ofr folders a user would prefer to have unrestricted?

    Thanks and great topic to discuss as well.

    EASTER
     
  11. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    hello easter, let me try to answer this one. it, the program, won't run. you have to make a rule allowing that program to run. you can either :

    a) allow all executables in that folder on your desktop to run

    or

    b) allow only the program executable to run

    i have xnews in a folder on my desktop, i created an allow rule for "xnews.exe" ONLY. that means my xnews program runs fine, but nothing else in the xnews folder on my desktop can run. it's pretty awesome :)

    another cool thing with SRP is you can deny executables from running. on all my machines, in my LUA, cscript.exe, wscript.exe, cmd.com, and command.com are forbidden.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Indeed!

    Thanks for the summary and confirmation to your results. Then we can fairly well sum up that XP's SRP is a formidable componant of the operating system and completely configurable.

    What a revelation and one has to wonder why it's been somewhat not mentioned too very often before and only occasionally. Likely the security industry maybe?
     
  13. Arup

    Arup Guest

    LUA+SuRun+SRP+DEP and x64XP or Vista is quite a formidable combo.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.