Application Data folders subject to Software Restriction Policy blocking executables--necessary?

Status
Not open for further replies.

conceptualclarity

Level 21
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 23, 2013
1,072
I have run into Windows XP Software Restriction Policies blocking installations twice in the last day. The policies are blocking executables running from Application Data folders. You can see the blocking of the installation of Dashlane Premium. Last night another program's auto-update function was blocked with the same error message.

I don't know why these programs are putting executables in Application Data folders. Is there any potential harm in it? I understand that Software Restriction Policies can be altered. Any reason not to save myself from this nuisance by allowing launches from Application Data folders?


Computer: DELL Dimension 2400
CPU: Intel Pentium 4-2667 (Northwood, D1)
2666 MHz (20.00x133.3) @ 2658 MHz (20.00x132.9)
Motherboard: DELL 0G1548
Chipset: Intel 845GEV (Brookdale-GEV) + ICH4
Memory: 2048 MBytes @ 166 MHz, 2.5-3-3-7
- 1024 MB PC3200 DDR-SDRAM - Kingston K
- 1024 MB PC3200 DDR-SDRAM - Kingston K
Graphics: Intel 82845G/GL/GV Graphics Controller [DELL]
Intel i845G(L) Integrated, 64 MB
Drive: WL120GPA872, 117.2 GB, E-IDE (ATA-7)
Drive: HGST HTS545050A7E380, 488.4 GB, Serial ATA 3Gb/s <-> USB
Drive: SAMSUNG CD-R/RW SW-252S, CD-R Writer
Sound: Creative Technology SB Live! Series Audio Processor
Network: RealTek Semiconductor RTL8139 PCI Fast Ethernet NIC [A/B/C]
Network: Broadcom 4401 10/100 Integrated Controller
OS: Microsoft Windows XP Home Edition Build 2600
Antivirus: ESET Smart Security 9.0.375.0
Firewall: ESET Smart Security 9.0.375.0
Default Browser: Maxthon
Dashlane error.png
Dashlane blocked by Restriction Policy.png
 
  • Like
Reactions: DardiM

conceptualclarity

Level 21
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 23, 2013
1,072
I have a lot in XP under ApplicationData in Current User and very little under AppData.

Most of the folders under ApplicationData have no .exe files, but it's clear that a fair number do.

6kGUm4.png

Oz3Zqk.png


175wEs.png

lVKWdI.png

This is clearing up a mystery about why a lot of things haven't worked on my computer. So I need to know if there is any reason not to get rid of this software restriction.
 
  • Like
Reactions: Ink

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
cc...

One of the reasons cleaners are apt to give you the option to clean the Temp folder (not to be confused with Temporary Internet Files) is that many programs load an executable into the Temp folder when they are installing. This Temp folder is located in your Docuemets and Settings\User path in the Application Data folder. Here is the exact path in Windows 7. I don't have an XP PC hooked up at the present time, but this should get you in the ballpark:

C:\Users\HP 6200PROW7\AppData\LocalLow\Temp

This should get you close. Start with Documents and Settings. Most security cleaners recommend cleaning this folder regulary and/or scanning it regularly. The Windows standard cleaner feature will list this folder for cleaning if you check its dialog and/or choose to use it to keep the folder clean.

It's annoying, but once in awhile, I run into a situation where cleaning the folder will delete a file a program uses. I haven't run into the problem in a long time, though, and I run the Windows cleaner on a schedule every day. This problem is really the result of a poor decision from a developer. They really shouldn't drop useful files in that folder given the importance security writers place on monitoring the folder. Also, regularly cleaning this folder is really quite sensible in my mind. Its contents can use a substantial amount of disk space. Anyway, I guess those are the reasons why I haven't seen the problem in awhile...developers have figured out that placing a settings file there is not a good idea.

Just to add. I managed to determine the scan patterns of the default scans of my a-v program, and one folder it scans VERY frequently is the TEMP folder.

Hope this helps.
 
H

hjlbx

The danger of AppData and Program Data directories are that they are in User Space.

Malware very often installs to and executes from User Space = C:\Users\User\AppData and C:\Program Data.

You should only make exceptions to User Space executions for trusted\known files -- that's all there is to it.
 

conceptualclarity

Level 21
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 23, 2013
1,072
The danger of AppData and Program Data directories are that they are in User Space.

Malware very often installs to and executes from User Space = C:\Users\User\AppData and C:\Program Data.

You should only make exceptions to User Space executions for trusted\known files -- that's all there is to it.

I'm not familiar with the term and concept User Space.

How do I make exceptions?

I trust the programs that are on my computer. I download from the developer's site or, if not possible, a good download site like Major Geeks or Softpedia. I always scan the setup files with Virus Total and JottiQ before running them. I am aware of the need and the means to avoid bundling of unwanted programs. WinPatrol and StartupStar watch over autostarts for me, and ExeWatch keeps a record of what comes aboard my system.

Since you brought that up, though, I don't understand why users who are above my grade speak of dealing with untrusted files on their system by sandboxing, etc. because I figure that these people know better than to download anything dodgy unless they're engaged in some sort of deliberate experimentation. I know I'm missing something here but I can't quite get it. (And I'm not saying that VT and JottiQ are necessarily a substitute for sandboxing. The one time I tried Sandboxie it put my browser in deep freeze, so I figured Sandboxie will have to wait for my next computer. SecureAPlus' initial run also was more than this old Dell could handle.)
 
H

hjlbx

I'm not familiar with the term and concept User Space.

How do I make exceptions?

I trust the programs that are on my computer. I download from the developer's site or, if not possible, a good download site like Major Geeks or Softpedia. I always scan the setup files with Virus Total and JottiQ before running them. I am aware of the need and the means to avoid bundling of unwanted programs. WinPatrol and StartupStar watch over autostarts for me, and ExeWatch keeps a record of what comes aboard my system.

Since you brought that up, though, I don't understand why users who are above my grade speak of dealing with untrusted files on their system by sandboxing, etc. because I figure that these people know better than to download anything dodgy unless they're engaged in some sort of deliberate experimentation. I know I'm missing something here but I can't quite get it. (And I'm not saying that VT and JottiQ are necessarily a substitute for sandboxing. The one time I tried Sandboxie it put my browser in deep freeze, so I figured Sandboxie will have to wait for my next computer. SecureAPlus' initial run also was more than this old Dell could handle.)

User Space = C:\Program Data + C:\Users\* (W8.1 & 10)

I'm not sure of the exact User Space directories for XP - but C:\Documents and Settings\Owner\* is one. Link below lists them:

Don't Pollute User Space

* * * * *

Review of AppGuard that covers System Space and User Space. You can also search for both Windows System Space and User Space online for more infos.

Blue Ridge Networks AppGuard Review

I stopped using XP 10 years ago - so I don't remember - but from your posts XP software restriction policy is blocking User Space executions. You have to figure out how to modify XP's policy restrictions.

I don't know anything about XP's restriction policies.
 
Last edited by a moderator:
  • Like
Reactions: conceptualclarity
H

hjlbx

Since you brought that up, though, I don't understand why users who are above my grade speak of dealing with untrusted files on their system by sandboxing, etc. because I figure that these people know better than to download anything dodgy unless they're engaged in some sort of deliberate experimentation.

What is there not to understand ?

Malicious files, scripts and other code can get onto your system completely without your knowledge -- just by navigating to a website and not clicking a single thing, inserting a USB flash drive, connecting to network shares (LAN), opening a word document or PDF, etc...

It's not limited to only the files you intentionally download and execute.

At the very least, all unknown\untrusted code -- especially from internet facing applications -- should be restricted with least privileges and access rights (software restriction policy) and\or contained (isolated environment or sandbox).

Best practice is to block as much unknown\untrusted code as you can by default (default-deny).
 
Last edited by a moderator:

conceptualclarity

Level 21
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 23, 2013
1,072
I tried to resolve the Dashlane problem by moving the Application Data folder with the executables to my external hard drive and changing the Start Menu shortcut. I opened it successfully, but didn't yet create an account. Lo and behold, ExeWatch notifies me that Dashlane has recreated in Application Data those folders I moved to the external hard drive.
 

conceptualclarity

Level 21
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 23, 2013
1,072
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top