Software Restriction Policy Bypass Does Not Work!

Hello,
We have activated bunch of soft restriction policy to prevent Cryptolocker. Since then we keep getting an error each time we try to install a monitoring agent we use. We have added an Unrestricted path rule containing the agent.exe file, but its just does not work. See error in attached file.

Do we need to include the agent.exe /VERYSILENT variable to the path rule or agent.exe by itself suffice?

Any ideas?
Screen-Shot-2015-09-10-at-4.35.40-PM.png
Screen-Shot-2015-09-10-at-4.30.09-PM.png
SpiderPigAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Add an unrestricted rule for its hash.
0
SpiderPigAuthor Commented:
Not sure what you mean, never done a hash rule before? How do I do it?
0
McKnifeCommented:
New rule - hash rule.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

yo_beeDirector of Information TechnologyCommented:
You do not include the switch in App Locker. You just put the exe that you want to allow.  This allows the exe to run and you can apply any switch you want when it is time to run.

Also if you want agent.exe to run pretty much from any directory structure you can create a single rule that looks like *\agent.exe rather than creating path1\dir1\agent.exe and path2\dir2\agent.exe or a hash like the previous Expert suggested. Either method will accomplish the desired results.  Just no switches should ever be used in the pattern created for the app locker policy.
0
yo_beeDirector of Information TechnologyCommented:
Another pattern could be %appdata%\*\agent.exe

This allows to run the exe from any sub-directory in %appdata% structure
0
SpiderPigAuthor Commented:
Did the hash and the patterns suggested, none worked, I am getting the same error message.

With the Hash I basically went to the network drive and choose the file I am trying to run...
Screen-Shot-2015-09-10-at-8.56.13-PM.png
0
McKnifeCommented:
Since allow rules will trump the less precise deny rules, it should work that way. Will try myself.
0
McKnifeCommented:
Hm... strange thing. I tried to quickly test here (on win10) and SRPs don't work AT ALL. Even after restarting the computer and double checking the default restriction level.
So I had to take applocker (the successor of SRP) and there, indeed it works as expected. You disallow anything, set an exception using the hash and it starts while it gets blocked without the exceptional hash rule.
0
SpiderPigAuthor Commented:
So you are saying I should ditch the SRP and move to APPLocker?
0
yo_beeDirector of Information TechnologyCommented:
My rules were for App Locker and not SRP. I thought you were using that this whole time.
0
McKnifeCommented:
Yes, applocker is the successor, use it.
0
Rakesh KapoorCommented:
You can follow the steps defined in the below article to restrict Software using Group Policy.

http://www.itingredients.com/how-to-deploy-software-restriction-policy-gpo/
0
SpiderPigAuthor Commented:
o.k this applocker does not work as expected. First I kept all SRP rules and just added an AppLocker allow rule to point to that EXE, I then enabled the service app id (basically following http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx 

It did nor work, so I assumed I will need to remove SRP and create only AL rules. The problem is that when I go to great a path rule on AL for %AppData%\*.exe it does not let me click next or create. It does not like my path from some reason? How do I create a rule to block all exe files in %AppData% ?
0
McKnifeCommented:
Google applocker variables
0
SpiderPigAuthor Commented:
Yeah there is no %AppData% :( Not sure how to move it to Applocker then.
0
McKnifeCommented:
Applocker is using its own variables. You'll have to use
%OSDRIVE%\Users\*\AppData\roaming
for appdata.
0
SpiderPigAuthor Commented:
OK sounds good, I am going to try today and get back to you asap! My apologies for the delay. Thanks.
0
SpiderPigAuthor Commented:
Hi Guys,
I created a set of AppLocker rules on a different server, and I have to admit I dont think its working. I did enabled the application ID service (I believe its called). Here is why I think its not working, with the SRP Spotify PC client stopped working for users. The the AppLocker I had a PC today that still uses Spotify.

Is there another way to test it?

Thanks for your help.
0
McKnifeCommented:
We cannot judge your steps from here if you don't say which exact steps you took. There are many applocker how tos on the web. A restart is usually required, by the way.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SpiderPigAuthor Commented:
Worked. Ended up using the AppControl and creating exclusions per user. Thanks and sorry for the delay.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.