Windows 10: Applocker prevents execution of exe-file despite "Allow"-Rule

Hi all, I´m in the process of rolling out Applocker and so far it is doing what it is supposed to do, except for one problem I ran into today:An exe-file is being prevented from executing, althoughI do have a corresponding Allow rule in place Publisher / Allow / Everyone / No exceptionsI do not have a Deny Rule in place which would take precedence over the Allow-Rule and explain the behaviourThe correct Group Policy and therefore Applocker policy is being deployed on my machine checked with gpresult, so I can rule out that any other Applocker policies cause the Deny behaviourOthe

:)

 

AppLocker Allowed Executable Runs Denied DLL

I am testing AppLocker's functionality to assess suitability for protecting a windows application from tampering. My goal is to test the robustness of its rules in the face of DLL hijacking. As a test I have a simple executable compiled from C# that displays
a window and button. When the button is clicked it uses a single DLL dependency to pull the system time and IP and return it as a string. The window then updates with a message stating the returned string. An AppLocker executable rule was added to allow the
executable based on its hash. Additionally, I have generic DLL rules that allow execution of all DLLs in the Windows folder and the Program Files folder. My test executable and its dependency are both in a folder on the desktop (not a valid DLL execution folder).

After ensuring the AppIdSvc is running and doing a gpupdate on the client PC, I was able to run the executable (as expected) but the executable was also able to run its DLL dependency even though the dependency was outside of the Windows/Program Files directories.
This was also the case after I replaced that DLL with a tampered one to ensure it wasn't somehow related to the rule created for the executable and to prove that my executable is actually running that dependency (it is). Even after I added an explicit rule
to deny both the legitimate and tampered DLLs based on their hash, it's still able to run. Reviewing the AppLocker logs I don't see any message saying the DLL was or was not allowed to run (it's as if AppLocker never saw it) even though I am able to see that
the DLL was accessed by the executable in Process Monitor. Other AppLocker logs show that the executable was allowed to run (letting me know my rules are working - I also ran many other AppLocker tests to ensure it is actually running and it was).



Is AppLocker not able to protect the integrity of dependency DLLs based on their hash? Can an allowed executable run ANY DLL? I've read some articles that rundll32 circumvents the DLL rules by being allowed to run from its safe location while loading and
executing DLLs from unsafe locations and may perhaps be the culprit here. Any information is greatly appreciated.

 

Applocker

I block the IE just for testing
But now its block all exe file and i run the default rule.
I want that regular user will be able to install exe files
But applocker block all exe
any suggestion ?

 

How to set up AppLocker restrictions on Windows 10 Pro?

Hello @ahmd, *Smile

If you like, here are out AppLocker tutorials below that may be able to help with this for you.

• Use AppLocker to Allow or Block DLL Files from Running in Windows 10
• Use AppLocker to Allow or Block Executable Files in Windows 10
• Use AppLocker to Allow or Block Script Files in Windows 10
• Use AppLocker to Allow or Block Windows Installer Files in Windows 10
• Use AppLocker to Block Microsoft Store Apps in Windows 10
• Export and Import AppLocker Policy for Rules in Windows 10
• Clear AppLocker Policy in Windows 10
• Delete AppLocker Rule in Windows 10