Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server Security - AppLocker


  • Please log in to reply
2 replies to this topic

#1 bluerussian

bluerussian

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 29 September 2016 - 08:58 PM

All,

 

My coworkers and I have recently started implementing AppLocker on our Terminal Servers to further lock them down from rouge apps.  Does anyone have knowledge of what Microsoft considers an "executable" when applying the AppLocker policy to folders?  My AV program considers 2 dozen different extensions as executables when scanning them for malicious activity for instance. 

 

From what I understand of other posts here rouge apps run not only as .exe but .msi, .js and others. 

 

Thanks for the insight. 

 

B.



BC AdBot (Login to Remove)

 


#2 sflatechguy

sflatechguy

  • BC Advisor
  • 2,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 08 October 2016 - 01:22 PM

Anything with a .exe or .com extenstion is considered an executable. Because AppLocker rules are based on file paths, all executable files in those paths are allowed. So if malware installs itself in an allowed file path, AppLocker may not block it.

 

https://technet.microsoft.com/en-us/library/ee460956(v=ws.11).aspx



#3 bluerussian

bluerussian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 13 October 2016 - 08:47 PM

Ok I Think I understand this.  It's more a path blocker than an executable blocker.  Since executables should not be running under a users profile we cover anything running there regardless of extension.

 

Thanks for the TechNet article. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users