Solved

Cryptolocker blocking group policy path rules whitelist

Posted on 2015-01-09
19
1,683 Views
Last Modified: 2015-02-02
There are unfortunately people who create malware.
And there is MS, trying to help us by providing things like administrative logins and UAC.
And there are those who spend there time finding their way around the tools MS provides because 'they're inconvenient'
Like the fine folks at Oracle, who give us an updater executable that wants to execute in
c:\users\username\AppData\Local\Temp or %LocalAppData%\Temp if you prefer.
The fine folks from Sage Software do the same thing for their Simply Accounting updates

Those locations also happen to be amongst the locations that CryptoLocker and its ilk execute from.
So, after our brush with that, I have a GPO in place that is

%AppData%\*.exe        Disallowed
%AppData%\*\*.exe     Disallowed
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%     Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%    Unrestricted
%LocalAppData%\*.exe      Disallowed
%LocalAppData%\*\*.exe   Disallowed
%LocalAppData%\Temp\jre*.exe            Unrestricted
%LocalAppData%\Temp\SA201*.exe    Unrestricted


Sadly however, the two unrestricted wildcard items DO NOT get to run.
And their obfuscated structure means I can't just rip them apart to get to the .msi or setup.exe

How do I alter my group policy to permit those PITA installation updates to run while still preserving the prohibition on anything else playing pattycake in the AppData sandbox?
0
Comment
Question by:Nick67
  • 8
  • 5
  • 2
  • +1
19 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40541349
You don't. You'll find that updaters that run from a local profile folder, by necessity, also run under that user's account permissions. So if you are following best practices and using UAC and limited accounts, the updater, even if it could execute, would fail to actually update as it wouldn't have permissions to write to the install location. In a managed environment (such as yours) it is common and recommended practice to disable auto updaters and manage updates through a more managed patch management strategy.
0
 
LVL 26

Author Comment

by:Nick67
ID: 40541454
Sigh.
I AM the administrator.
And, like with Java, UAC prompts me for credentials, which I give it.
The installer then gets promptly murdered by the Group Policy.

And really, I have neither the budget nor the need for the heavy duty tools.
Everything else can do its job without a lot of hassle.
Office 2013 can auto-update without intervention
So can Flash.
Acrobat Reader prompts for UAC and then does its thing.

But Java and Simply Accounting do not because they insist on distributing an executable that then unpacks in these undesirable locations.  So I need to whitelist them.  How do I do so?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40541497
As I said ,with group policy alone, you can't. It isn't just the location that is the issue. Flash auto-updates because it installs a service that always runs. So does Office 365. Traditional MSI Office 2013 does not auto-update, but relies on windows update which....runs as a service. They don't run in the use's context at all.

If it could be done in group policy, there wouldn't be a a market for products like Appdeploy or ninitr, or even desktop Authority by Dell. All would solve your issue. None are free. And I never said you weren't an admin. I just was providing background on *why* you were hitting the wall and why the answer is "you can't do that."
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40544595
I have success using the Free Community Edition of Privilege manager

http://privilegeforum.scriptlogic.com/
0
 
LVL 26

Author Comment

by:Nick67
ID: 40551913
Sigh.
As I said ,with group policy alone, you can't. It isn't just the location that is the issue.
The location is the issue.  If I log on as Enterprise Admin, I cannot run the Java updater because the Group Policy software restrictions rules are set to disallow executables from running in %LocalAppData%\*
My whitelisting of %LocalAppData%\Temp\jre*.exe is not being successfully applied.

Is there some manner of restructuring that policy so that those who have admin-level logins can successfully execute these two wildcard paths?
%LocalAppData%\Temp\jre*.exe            Unrestricted
 %LocalAppData%\Temp\SA201*.exe    Unrestricted
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40552039
Look at page 7 of this guide

http://www.thirdtier.net/downloads/CryptolockerWaystoaddExemptions.pdf

 Path: %localAppData%\Temp\jre-7u49-windows-i586-iftw.exe

Security Level: Unrestricted

Description: Java auto-update exception.

To add additional exceptions as the Java updater changes revisit this and add values as follows:
%localAppData%\Temp\jre-7u50-windows-i586-iftw.exe
%localAppData%\Temp\jre-7u51-windows-i586-iftw.exe
%localAppData%\Temp\jre-7u52-windows-i586-iftw.exe
..and so on….
0
 
LVL 26

Author Comment

by:Nick67
ID: 40552070
I'll have a go at not using a wildcard and see if that is the problem.
PITA though.
Why should a wildcard in a restriction work?
%LocalAppData%\*\*.exe   Disallowed

But a wildcard in a permission fail?
%LocalAppData%\Temp\jre*.exe            Unrestricted
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 400 total points
ID: 40552098
Exemptions just dont work in software restriction policies I'm afraid to say.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 26

Author Comment

by:Nick67
ID: 40552120
Exemptions just don't work in software restriction policies I'm afraid to say.
That contradicts your earlier post though...
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 400 total points
ID: 40552125
sorry I should have said wildcard exemptions
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40553537
Additional experts ??

There was no feedback on whether ID:40552039 works or not ???

Again you *cant* use wildcards in the exemptions.
0
 
LVL 26

Author Comment

by:Nick67
ID: 40553795
Additional experts ??
No disrespect was intended @dstewartjr.
Have a look at my profile.
I am normally on the other side of this rodeo--about 75 questions answered to one asked.

Yesterday morning I got the notice that I had 'abandoned' my Q.
I put in the RA, and posted #40551913
All subsequent posts (including yours) came in the interval between the RA start and RA granted.

We've got a 'sasquatch' here.
It's impossible to prove a negative -- but just one guy saying there's no such thing as a sasquatch isn't really enough proof to put the controversy to rest.

Again you *cant* use wildcards in the exemptions.
Well, now that I think about it, lets test that contention
I will, and if you would be so kind as to follow suit:
Copy notepad.exe into %localAppData%\Temp\ and into %localAppData%\Temp\Test
and then whitelist %localAppData%\Temp\Test\Notepad.exe and %localAppData%\Temp\Note*.*
If, after Group Policy updates, %localAppData%\Temp\Test\Notepad.exe will run and %localAppData%\Temp\notepad.exe won't, your contention that the whitelist wildcard is the problem will have been conclusively proven.

If not...well, we'll blow that up when we get that far.
0
 
LVL 26

Assisted Solution

by:Nick67
Nick67 earned 0 total points
ID: 40553869
Hmm.
I get an EventID 866 'murdered by policy for notepad in  %LocalAppData%\Temp\
So the wildcard is clearly not honored.
I copied calc as well as notepad into %localAppData%\Temp\Test\
No prompts, no messages, no Events in Event Viewer -- but they don't run either.

What are your results?
When I whitelist notepad fully, as in
%LocalAppData%\Temp\Notepad.exe
It no longer prompts, or flag in Event Viewer, but it doesn't run either
0
 
LVL 61

Assisted Solution

by:btan
btan earned 100 total points
ID: 40566419
in fact, as in the applocker faq, deny takes precedence. Specifically, if there is an explicit deny action , it will supersede all other rule including allow or exception rule. As in the faq, it stated as an example,
- a rule created to allow the Everyone group to run any application in the Windows folder except regedit.exe.
- a rule created to allow the Helpdesk group to run regedit.exe.
- In this example, since there was an explicit deny action on regedit.exe, then no other rule permitting the Helpdesk group access to regedit.exe would supersede that rule.

Thought below may be of interest
Why can I not create hash- or path-based rules for Packaged apps?
All Packaged apps and Packaged app installers are signed by the publisher of the package. In contrast, classic apps are not always signed; and therefore, AppLocker supports hash- or path-based rules.
Can you block all applications except from a certain software publisher?

Yes. You can do this by creating a publisher condition rule that allows all files to run that are signed by the specific software publisher. In some cases for binaries that are created dynamically, you could create a path rule condition.

How can I temporarily allow a user to run or install applications?

There are a variety of methods, and the best one will depend on your administrative practices. The following are some possible methods:
You can set the enforcement mode on the relevant rule collection to Audit only so AppLocker will not block any application for the present time. Then, you can change the enforcement mode to Enforce rules when you are ready.

You can create an organizational unit (OU) that has a separate set of rules but does not block the users from running a particular application. Move the user to this OU temporarily while they install the update or application. Then, move them back to the OU where the original rule enforcement occurs.
Can AppLocker detect rule conflicts?

No. However, you can use the Windows PowerShell cmdlets Get-AppLockerPolicy and Test-AppLockerPolicy to check whether specific files are allowed based on an AppLocker policy. A second option is to create a duplicate policy (for example, by using a reference computer), which then allows you to test the policy before deployment and verify that it provides the intended results.
Caution
You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
0
 
LVL 26

Accepted Solution

by:
Nick67 earned 0 total points
ID: 40575848
I am not using AppLocker, I am using Software Restrictions Group Policies, which is a different monster
But
https://technet.microsoft.com/en-us/library/cc780831(v=ws.10).aspx
If two identical rules with differing security levels are applied to software, the more conservative rule takes precedence. For example, if two hash rules--one with a security level of Disallowed and one with a security level of Unrestricted--are applied to the same software program, the rule with a security level of Disallowed takes precedence, and the program will not run.

Although it's buggy as hell.
It should run if whitelisted explicitly, while the folder is disallowed.
It doesn't, and it doesn't give notification or events -- it just doesn't run -- and that's a bug
PITA.

But I am not paying MS to submit a bug report.
Sigh.

Thanks all.
0
 
LVL 61

Expert Comment

by:btan
ID: 40576512
for info - SRP is predecessor of Applocker. Not surprised it is buggy
Can Software Restriction Policies’ rules be migrated to AppLocker rules?

No, not directly. AppLocker rules are not based on the same technology as Software Restriction Policies’ rules. You should carefully analyze your existing Software Restriction Policies’ rules and determine how they would conceptually map to new AppLocker rules.
I was also thinking if there is rule conflict but I believe you have already cover that
Can AppLocker detect rule conflicts?

No. However, you can use the Windows PowerShell cmdlets Get-AppLockerPolicy and Test-AppLockerPolicy to check whether specific files are allowed based on an AppLocker policy. A second option is to create a duplicate policy (for example, by using a reference computer), which then allows you to test the policy before deployment and verify that it provides the intended results.
0
 
LVL 26

Author Closing Comment

by:Nick67
ID: 40583596
There was no answer.
The documentation suggests that a fully qualified path Unrestricted should run in a Disallowed folder.
It does not.
Nor does it give the promptings and Event Viewer entries that should follow suppression.
This is clearly a bug, and contrary to expectations given on other sites that fully qualified paths should function, they do not.
PITA.

Thanks to all who posted.
Nick67
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now