Windows 10: AppLocker Allowed Executable Runs Denied DLL

Discus and support AppLocker Allowed Executable Runs Denied DLL in AntiVirus, Firewalls and System Security to solve the problem; I am testing AppLocker's functionality to assess suitability for protecting a windows application from tampering. My goal is to test the robustness of... Discussion in 'AntiVirus, Firewalls and System Security' started by benavidb, Apr 9, 2020.

  1. BENAVIDB
    benavidb Win User

    AppLocker Allowed Executable Runs Denied DLL


    I am testing AppLocker's functionality to assess suitability for protecting a windows application from tampering. My goal is to test the robustness of its rules in the face of DLL hijacking. As a test I have a simple executable compiled from C# that displays a window and button. When the button is clicked it uses a single DLL dependency to pull the system time and IP and return it as a string. The window then updates with a message stating the returned string. An AppLocker executable rule was added to allow the executable based on its hash. Additionally, I have generic DLL rules that allow execution of all DLLs in the Windows folder and the Program Files folder. My test executable and its dependency are both in a folder on the desktop not a valid DLL execution folder.

    After ensuring the AppIdSvc is running and doing a gpupdate on the client PC, I was able to run the executable as expected but the executable was also able to run its DLL dependency even though the dependency was outside of the Windows/Program Files directories. This was also the case after I replaced that DLL with a tampered one to ensure it wasn't somehow related to the rule created for the executable and to prove that my executable is actually running that dependency it is. Even after I added an explicit rule to deny both the legitimate and tampered DLLs based on their hash, it's still able to run. Reviewing the AppLocker logs I don't see any message saying the DLL was or was not allowed to run it's as if AppLocker never saw it even though I am able to see that the DLL was accessed by the executable in Process Monitor. Other AppLocker logs show that the executable was allowed to run letting me know my rules are working - I also ran many other AppLocker tests to ensure it is actually running and it was.



    Is AppLocker not able to protect the integrity of dependency DLLs based on their hash? Can an allowed executable run ANY DLL? I've read some articles that rundll32 circumvents the DLL rules by being allowed to run from its safe location while loading and executing DLLs from unsafe locations and may perhaps be the culprit here. Any information is greatly appreciated.

    :)
     
    benavidb, Apr 9, 2020
    #1
  2. BRINK
    Brink Win User

    How to set up AppLocker restrictions on Windows 10 Pro?

    Hello @ahmd, *Smile

    If you like, here are out AppLocker tutorials below that may be able to help with this for you.

     
    Brink, Apr 9, 2020
    #2
  3. CHISLE
    chisle Win User
    Applocker not blocking -- Win10Pro, Applocker configured, AppIDsvc run

    • OS: Win10Pro
    • Applocker: configured blocking of apps and executables
    • Applocker rules: set to enforcing
    • Service: AppIDSvc is running

    I've been trying to get Edge and a couple other utilities blocked on the laptop to keep distractions to a minimum for my child who uses the computer to study.
    However, even after rules are defined, and they are set to enforcing as blocked, the apps and executables are still available to them -- even after a reboot.

    I have followed the instructions here: https://social.technet.microsoft.com...10itprogeneral
    However, there is still no blocking of the apps or the executables.
    Thank you for your consideration.
     
    chisle, Apr 9, 2020
    #3
  4. OLIVERCACERES
    OliverCaceres Win User

    AppLocker Allowed Executable Runs Denied DLL

    Block a DLL with Applocker

    Hi all,

    On my organization we want to implement Applocker to block unauthorized DLLs. So far, I've created a very simple test, I've created an exe file that loads a function stored on a DLL. I created the program using visual studio and C#.


    AppLocker Allowed Executable Runs Denied DLL 6f2c0613-d5bb-4701-ac86-8d5fbbf047d6?upload=true.png


    I followed the instructions posted here to block the DLL that my EXE file uses to work using Applocker.
    This are my settings


    AppLocker Allowed Executable Runs Denied DLL a296efb7-61f2-42a9-9661-dd35c92fd9fd?upload=true.png

    AppLocker Allowed Executable Runs Denied DLL b695c03b-a2cf-4400-a535-d2280777fe6d?upload=true.png

    AppLocker Allowed Executable Runs Denied DLL 89f752ff-185f-4e2a-9fc3-cfa9433ac3cb?upload=true.png


    For my surprise this don't stop my program from loading the function in the DLL. Is there a way to achieve this using Applocker?

    OS: Windows Server 2012 R2
     
    OliverCaceres, Apr 9, 2020
    #4
Thema:

AppLocker Allowed Executable Runs Denied DLL

Loading...

  1. AppLocker Allowed Executable Runs Denied DLL - Similar Threads - AppLocker Allowed Executable

  2. Applocker prevents execution of exe-file despite "Allow"-Rule

    in Windows 10 Gaming
    Applocker prevents execution of exe-file despite "Allow"-Rule: Hi all, I´m in the process of rolling out Applocker and so far it is doing what it is supposed to do, except for one problem I ran into today:An exe-file is being prevented from executing, althoughI do have a corresponding Allow rule in place Publisher / Allow / Everyone / No...

  3. Applocker prevents execution of exe-file despite "Allow"-Rule

    in Windows 10 Software and Apps
    Applocker prevents execution of exe-file despite "Allow"-Rule: Hi all, I´m in the process of rolling out Applocker and so far it is doing what it is supposed to do, except for one problem I ran into today:An exe-file is being prevented from executing, althoughI do have a corresponding Allow rule in place Publisher / Allow / Everyone / No...

  4. How do I block executables from running using applocker in a corporate / enterprise...

    in Microsoft Windows 10 Store
    How do I block executables from running using applocker in a corporate / enterprise...: Hello, I am looking for helps blocking executables and unwatned apps from being ran on corporate and field PCs. We have windows pro and enterprise editions and I am looking for what would be the most efficient way of doing this. I have tried configuration profiles in intune...

  5. How do I block executables from running using applocker in a corporate / enterprise...

    in Windows 10 Gaming
    How do I block executables from running using applocker in a corporate / enterprise...: Hello, I am looking for helps blocking executables and unwatned apps from being ran on corporate and field PCs. We have windows pro and enterprise editions and I am looking for what would be the most efficient way of doing this. I have tried configuration profiles in intune...

  6. How do I block executables from running using applocker in a corporate / enterprise...

    in Windows 10 Software and Apps
    How do I block executables from running using applocker in a corporate / enterprise...: Hello, I am looking for helps blocking executables and unwatned apps from being ran on corporate and field PCs. We have windows pro and enterprise editions and I am looking for what would be the most efficient way of doing this. I have tried configuration profiles in intune...

  7. Block a DLL with Applocker

    in Windows 10 Customization
    Block a DLL with Applocker: Hi all, On my organization we want to implement Applocker to block unauthorized DLLs. So far, I've created a very simple test, I've created an exe file that loads a function stored on a DLL. I created the program using visual studio and C#. [ATTACH] I followed the...

  8. Use AppLocker to Allow or Block DLL Files from Running in Windows 10

    in Windows 10 Tutorials
    Use AppLocker to Allow or Block DLL Files from Running in Windows 10: How to: Use AppLocker to Allow or Block DLL Files from Running in Windows 10 How to Use AppLocker to Allow or Block DLL Files from Running in Windows 10 packaged apps (aka: Microsoft Store apps), and packaged app installers. AppLocker defines DLL rules to include...

  9. Use AppLocker to Allow or Block Executable Files in Windows 10

    in Windows 10 Tutorials
    Use AppLocker to Allow or Block Executable Files in Windows 10: How to: Use AppLocker to Allow or Block Executable Files in Windows 10 How to Use AppLocker to Allow or Block Executable Files from Running in Windows 10 packaged apps (aka: Microsoft Store apps), and packaged app installers. AppLocker defines executable rules as any...

  10. Applocker not blocking -- Win10Pro, Applocker configured, AppIDsvc run

    in Windows 10 Software and Apps
    Applocker not blocking -- Win10Pro, Applocker configured, AppIDsvc run: OS: Win10Pro Applocker: configured blocking of apps and executables Applocker rules: set to enforcing Service: AppIDSvc is running I've been trying to get Edge and a couple other utilities blocked on the laptop to keep distractions to a minimum for my child who uses the...