Your explanation makes sense technically, just that I did not expect AppLocker to behave this way, but I think all is good. I'd prefer Publisher or even Hash rules but it is an allowed program anyways so no big deal using the weaker path rule in this case. So, interestingly enough and maybe you know why it worked, but I fixed the problem by creating a Path rule for the openoffice Program folder. bin process, even after I had auto-generated hash rules (publisher rules not possible because openoffice files aren't signed) for everything in its program folder. com, thus my surprise at it stopping the. I just take things in the literal sense sometimes AppLocker states that executable file extensions it manages are.
Hi Windchild and thanks for the explanation. It's not important what something claims to be (it has the name of a text file), important is what something really actually is (an exe file that has been given the wrong file extension but can still be executed).Īnd yes, audit only is a very useful tool. File extensions in general are pretty pointless as far as security is concerned - just a part of a name, and a name can be anything. well, stupid, because then anyone could trivially bypass AppLocker just by changing the file extensions: "malware.exe" is not allowed to run, but "malware.bin" would be even though it's exactly the same file and both are being created as a process. If AppLocker didn't work this way, it would be just. Exactly the same way, you can open an exe file all day long, even though it's in AppLocker's list and the rules deny execution for that file, for viewing the exe file in Notepad for example or in a hex editor, just as long as you don't actually execute it, which AppLocker would prevent. That file is being executed, and therefore AppLocker will obviously be interested in it no matter what the file extension is, and will block it, if the rules say it should not be allowed to run. It doesn't matter if the file is called i_am_just_a_text_file_honest.txt, if something tries to execute it, create a process out of that supposed text file, AppLocker will be interested. Instead, they work based on what is being executed. AppLocker (and SRP) do not work based on file extensions alone.
0 kommentar(er)
