And I might add something like that for admins once we get it working, but we're not sure yet-Kind of trying to figure it out first. But even then, it's unnecessary to add a rule like that for standard users as the default rule denies it, and then you can't override with an allow. That's actually one thing I'm happy for, in that I hope this is going to cut down on some malware issues. I know it could be moved, so we might just hash it anyway-testing right now with the * in the path.
From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Tuesday, January 19, 2016 12:18 PM To: [email protected] Subject: [NTSysADM] RE: Applocker Exe rules Melvin's question triggered a thought. >From a security standpoint Bonnie I respectfully suggest you block >c:\users\*\appdata\* Then whitelist on the exception tab for that rule what needs to be allowed to run. Otherwise you are missing a golden opportunity to kill darn near all the virus's and malware out there. Plus you are playing reverse wack a mole. Killing the bad stuff one path at a time. Consider trying it my way, set it to log. I bet the list to whitelist will be pretty short. Also, going back to your original question I believe you can block onedrive.exe all by itself. And kill it universally. Yea, they can rename it. But they can also move it on a path block too. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Melvin Backus Sent: Tuesday, January 19, 2016 3:07 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Applocker Exe rules Doesn't recursion from the profile directory catch that? %USERPROFILE% would be the level above. Unless of course you have legitimate things running from within the profile directory. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Tuesday, January 19, 2016 2:52 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Applocker Exe rules I'm working on policies for our Win10 deployment (Surface Pro 4's have been ordered, they only come with 10) and have an applocker question, specifically with executable rules. I can't use standard system variables in the paths, like we have done with Software Restriction Policies. Instead there are some special vars available, but I'm not finding anything for user folders/appdata. Has anyone found a way to define the following with any sort of variable? C:\users\username\appdata\something.exe Specifically, we have a program (onedrive.exe) that is in the user profile path by default, but needs to be blocked for all users, even administrators. With the default rules, the program is blocked for everyone who is a standard user but is allowed for admins. I know I can successfully block programs for admins as I have a similar rule already working that points to the groove.exe location in Program files and it can't be run, but everything I've tried for this one doesn't seem to work as I can't craft a working variable. Am I stuck with hashing this file and every new version? I realize there are options for not even installing some of the default apps that come with 10-we are looking at that as well, but we may want to allow the next gen sync client for some people later, if we ever get to one-to-one. I'm also thinking that we might have a need to use this sort of path to ALLOW an executable to run from a user profile path. Thanks for any and all ideas and suggestions! -Bonnie
