+1, we're doing pretty much exactly what Jim describes as well for valid software exceptions.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim Sent: Monday, April 10, 2017 7:56 AM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] RE: Running exe from APPDATA..TEMP directory There are two Ditto's. One is a toolbar that seems to fit your description. The other is an enhancement to clipboard and seems legit. So yea, exceptions of course have to be for valid software. I don't have a problem doing it if it is valid software. That's my job, make it usable and safe. A publisher exception is perfectly safe. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden Sent: Monday, April 10, 2017 10:52 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: Running exe from APPDATA..TEMP directory I'll have to see. Other admin in the department trying to get the exception approved for ditto.exe (Screen sharing software). All I can find it bad installs and corrupt files in GoogleFu. I am thinking I will be asking from them to get other software that doesn't have such a bad track record. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim Sent: Monday, April 10, 2017 10:40 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: Running exe from APPDATA..TEMP directory Notice: This email is from an outside source. Please do not open any attachments, click on any hyperlinks, or respond without first confirming the authenticity of the email. That is very common, and creating exceptions for that directory is to be expected. For example all the webcast/conference software like WebEx use that directory. I am assuming you are using Applocker. Hopefully the vendor signed their exe with a cert. Most do these days. So create a publisher exception, that is pretty darn bullet proof and better than doing a path exception. It also future proofs the exception. When the software updates it is pretty darn certain that the cert will look the same. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden Sent: Monday, April 10, 2017 10:32 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] Running exe from APPDATA..TEMP directory Have a vendor that want so run his app from the APPDATA..TEMP directory. I have a GPO that denied .exe from running there or subfolders of there. Any reason I should allow this? I have the exact folder and program name but it's opening up an exception to my rule?? Any thoughts? David McSpadden System Administrator Indiana Members Credit Union P: 317.554.8190 [Description: Description: imcu email icon]<http://imcu.com/> [Description: Description: facebook email icon] <https://www.facebook.com/IndianaMembersCU> [Description: Description: twitter email icon] <https://twitter.com/IndMembersCU> [Description: Description: email logo] [http://www.amuletsolutions.com/images/mcp.gif]<http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjFztf-tePJAhXK5iYKHcPtAxEQjRwIBw&url=http://www.amuletsolutions.com/awards.aspx&bvm=bv.110151844,d.amc&psig=AFQjCNHkrx8CednTEOOq4zUxYyrRUGzUsg&ust=1450459757284499> This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.