Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Applocker on Windows Home.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1012726" data-attributes="member: 32260"><p>In my previous posts, I proposed the Applocker settings similar to Smart App Control (but more usable).</p><p>Anyway, there exists even more usable setup for Microsoft Defender and Avast. Both AVs can be tweaked for very strong EXE protection. In Microsoft Defender, one can enable the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria". Avast can be tweaked to use Hardened Mode. Also, the recently improved SmartScreen for Explorer can prevent most attacks via EXE files (including EXE embedded in archives and disk images).</p><p></p><p>The idea is simple. Allow in Applocker all EXE files everywhere, except some blocked LOLBins. The protection for MSI, DLL, and packaged apps can still rely on signed files. Scripts are mostly blocked in UserSpace. This protection for MSI, DLL, and Script file types can nicely cover some holes in the protection of Avast and Microsoft Defender.</p><p></p><p>Now, most applications can be installed and used without turning off the Applocker protection. One can expect some blocks from the AV, especially for unsigned niche programs. This setup can be applied on the computers of casual users, but the occasional help from the advanced user will be still required.</p><p></p><p>[CODE]<#</p><p>.SYNOPSIS</p><p></p><p> This function creates new AppLocker settings using MDM WMI Bridge.</p><p> All previous rules will be deleted.</p><p></p><p> ** EXE - all EXE allowed everywhere except LOLBins (blocked as Administrator too)</p><p> ** DLL and MSI - blocked in some user folders (Documents, Favorites, Music, Pictures, Videos).</p><p> The settings include the below block rules:</p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/></p><p> The paths must be corrected if one or more user folders are redirected to OneDrive</p><p> or another location.</p><p> ** DLL rules block also Administrators. Allow and Deny rules for DLL:</p><p> Allow all files located in the Program Files folder</p><p> Allow all files located in the Windows folder (with some exceptions for blocked writable folders)</p><p> Allow all signed files located in UserSpace (with some exceptions for blocked folders; can be</p><p> edited by the user)</p><p> Allow some paths for unsigned files located in UserSpace (can be edited by the user)</p><p> ** MSI rules do not block Administrators. Allow rules:</p><p> Allow all files in the folder %systemdrive%\Windows\Installer</p><p> Allow all signed files everywhere (with some exceptions in Windows folder and UserSpace)</p><p> ** Script rules do not block Administrators. Allow rules:</p><p> Allow all files located in the Program Files folder</p><p> Allow all files located in the Windows folder (with some exceptions for blocked writable folders)</p><p> ** StoreApps rule blocks also Administrators. Allow rule:</p><p> Allow all signed files everywhere (with some exceptions in Windows folder and UserSpace)</p><p></p><p>--------------------------------------------------------------------------------------------------</p><p> </p><p> The script uses some fake rules that are inactive. The fake path rules are:</p><p></p><p> A:\DLL_FakeWhitelistedPath\*</p><p> A:\DLL_FakeBlockedPath\*</p><p> A:\MSI_FakeBlockedPath\*</p><p></p><p> These rules have got the unused drive letter (A:), so they are always inactive, except when</p><p> the fake path is replaced by the real folder/file path.</p><p> Fake whitelisting rules require unique GUIDs.</p><p> </p><p> The fake publisher block rule for LOLBins will be active after replacing the fake ProductName</p><p> with the asterisk, for example:</p><p> ProductName="HomeApplocker:POWERSHELL.EXE" ----> ProductName="*"</p><p> Similar fake rules are for powershell_ise.exe, and HH.exe .</p><p> The fake publisher block rule requires a unique GUID and the correct publisher info.</p><p></p><p>---------------------------------------------------------------------------------------------------</p><p>How to install applications.</p><p></p><p>Most of the EXE installers (signed or not) can be installed and used with enabled protection.</p><p>The signed MSI installers can be installed and used with enabled protection.</p><p>Some applications can still refuse to work properly after the installation if they try</p><p>to run some unsigned DLL libraries in UserSpace. This should be checked via Windows Event Log</p><p>(Applocker IDs: 8007, 8004).</p><p>---------------------------------------------------------------------------------------------------</p><p></p><p>.CREDITS</p><p> These scripts are based on the script for EXE files made by Sandy Zeng (Sandy Tsang).</p><p> https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/AppLocker</p><p>#></p><p></p><p># Deleting all previous policies</p><p>$namespaceName = "root\cimv2\mdm\dmmap" #Do not change this</p><p>$GroupName = "AppLocker001" #Your own groupName</p><p>$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"</p><p></p><p>$classNameDLL = "MDM_AppLocker_DLL03" #Do not change this</p><p>Get-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Filter "ParentID=`'$parentID`' and InstanceID='DLL'" | Remove-CimInstance</p><p></p><p>$classNameEXE = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this</p><p>Get-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Filter "ParentID=`'$parentID`' and InstanceID='EXE'" | Remove-CimInstance</p><p></p><p>$classNameMSI = "MDM_AppLocker_MSI03" #Do not change this</p><p>Get-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Filter "ParentID=`'$parentID`' and InstanceID='MSI'" | Remove-CimInstance</p><p></p><p>$classNameScript = "MDM_AppLocker_Script03" #Do not change this</p><p>Get-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Filter "ParentID=`'$parentID`' and InstanceID='Script'" | Remove-CimInstance</p><p></p><p>$classNameStoreApps = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03"</p><p>Get-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Filter "ParentID=`'$parentID`' and InstanceID='Storeapps'" | Remove-CimInstance</p><p></p><p>Add-Type -AssemblyName System.Web</p><p></p><p></p><p>#This is example Rule Collection for EXE (*.exe, *.com)</p><p>$obj = [System.Net.WebUtility]::HtmlEncode(@"</p><p> <RuleCollection Type="Exe" EnforcementMode="Enabled"></p><p> <FilePathRule Id="9cff703a-6dbd-48f5-8ce3-94f8228b6ac4" Name="Allow all files everywhere" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="*"/></p><p> </Conditions></p><p> </FilePathRule></p><p># Publisher block rules for LOLBins</p><p># ***********************</p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96000" Name="POWERSHELL.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:POWERSHELL.EXE" BinaryName="POWERSHELL.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96001" Name="POWERSHELL_ISE.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:POWERSHELL_ISE.EXE" BinaryName="POWERSHELL_ISE.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96003" Name="RUNAS.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="RUNAS.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96004" Name="CIPHER.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CIPHER.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96005" Name="MSBUILD.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MSBUILD.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96006" Name="InstallUtil.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="InstallUtil.exe"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96007" Name="REGSVCS.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="REGSVCS.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96008" Name="WMIC.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="WMIC.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96009" Name="PRESENTATIONHOST.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="PRESENTATIONHOST.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600a" Name="JSC.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="JSC.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600b" Name="MSHTA.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MSHTA.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600c" Name="MICROSOFT.WORKFLOW.COMPILER.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MICROSOFT.WORKFLOW.COMPILER.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600d" Name="HH.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:HH.EXE" BinaryName="HH.EXE"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> </RuleCollection></p><p>"@)</p><p>New-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj}</p><p></p><p></p><p>#This is example Rule Collection for MSI (*.msi, *.msp, *.mst)</p><p>$obj = [System.Net.WebUtility]::HtmlEncode(@"</p><p> <RuleCollection Type="Msi" EnforcementMode="Enabled"></p><p> <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="Allow all signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"></p><p> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> <Exceptions></p><p># Writable folders</p><p> <FilePathCondition Path="%WINDIR%\debug\wia\*" /></p><p> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\tasks\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /></p><p> <FilePathCondition Path="%WINDIR%\tasks\*" /></p><p> <FilePathCondition Path="%WINDIR%\temp\*" /></p><p> <FilePathCondition Path="%WINDIR%\tracing\*" /></p><p># Custom Block path rules in UserSpace for MSI (signed and unsigned)</p><p># *****************************************************************</p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/></p><p># Fake paths that can be edited by the user (replace A:\MSI_FakeBlockedPath with a real path)::</p><p> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/></p><p># End of Block path rules in UserSpace for MSI.</p><p> </Exceptions></p><p> </FilePublisherRule></p><p> <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="Allow files in the folder %systemdrive%\Windows\Installer." Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="%WINDIR%\Installer\*" /></p><p> </Conditions></p><p> </FilePathRule></p><p> <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="*" /></p><p> </Conditions></p><p> </FilePathRule></p><p> </RuleCollection></p><p>"@)</p><p>New-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Property @{ParentID=$parentID;InstanceID="MSI";Policy=$obj}</p><p></p><p></p><p>#This is example Rule Collection for scripts (*.bat, *.cmd, *.vbe, *.vbs, *.jse, *js, *.wsf, *.wsh)</p><p>$obj = [System.Net.WebUtility]::HtmlEncode(@"</p><p> <RuleCollection Type="Script" EnforcementMode="Enabled"></p><p> <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="Allow scripts in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="%PROGRAMFILES%\*" /></p><p> </Conditions></p><p> </FilePathRule></p><p> <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="Allow scripts in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="%WINDIR%\*" /></p><p> </Conditions></p><p> <Exceptions></p><p># Writable folders</p><p> <FilePathCondition Path="%WINDIR%\debug\wia\*" /></p><p> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\tasks\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /></p><p> <FilePathCondition Path="%WINDIR%\tasks\*" /></p><p> <FilePathCondition Path="%WINDIR%\temp\*" /></p><p> <FilePathCondition Path="%WINDIR%\tracing\*" /></p><p> </Exceptions></p><p> </FilePathRule></p><p> <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="*" /></p><p> </Conditions></p><p> </FilePathRule></p><p> </RuleCollection></p><p>"@)</p><p>New-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Property @{ParentID=$parentID;InstanceID="Script";Policy=$obj}</p><p></p><p></p><p>#This is example Rule Collection for DLL (*.cpl, *.dll, *.ocx, *.rll)</p><p>$obj = [System.Net.WebUtility]::HtmlEncode(@"</p><p> <RuleCollection Type="Dll" EnforcementMode="Enabled"></p><p> <FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="Allow DLLs in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="%WINDIR%\*" /></p><p> </Conditions></p><p> <Exceptions></p><p># Writable folders</p><p> <FilePathCondition Path="%WINDIR%\debug\wia\*" /></p><p> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\tasks\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /></p><p> <FilePathCondition Path="%WINDIR%\tasks\*" /></p><p> <FilePathCondition Path="%WINDIR%\temp\*" /></p><p> <FilePathCondition Path="%WINDIR%\tracing\*" /></p><p> </Exceptions></p><p> </FilePathRule></p><p> <FilePathRule Id="3737732c-99b7-41d4-9037-9cddfb0de0d0" Name="Allow DLLs in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="%PROGRAMFILES%\*" /></p><p> </Conditions></p><p> </FilePathRule></p><p># Global Allow rule in UserSpace for signed DLL</p><p> <FilePublisherRule Id="1f0d0ec5-8523-4aa0-976a-ad2d2c21eed7" Name="Allow all Signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"></p><p> <BinaryVersionRange LowSection="*" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> <Exceptions></p><p># Writable folders</p><p> <FilePathCondition Path="%WINDIR%\debug\wia\*" /></p><p> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\tasks\*" /></p><p> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /></p><p> <FilePathCondition Path="%WINDIR%\tasks\*" /></p><p> <FilePathCondition Path="%WINDIR%\temp\*" /></p><p> <FilePathCondition Path="%WINDIR%\tracing\*" /></p><p># Custom Block path rules in UserSpace for DLL (signed and unsigned)</p><p># *****************************************************************</p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/></p><p> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/></p><p># Fake paths that can be edited by the user (replace A:\DLL_FakeBlockedPath with a real path)::</p><p> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/></p><p> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/></p><p># End of Block path rules in UserSpace for DLL.</p><p> </Exceptions></p><p> </FilePublisherRule></p><p># Custom Allow path rules in UserSpace for DLL (replace A:\DLL_FakeWhitelistedPath , by the real path)</p><p># ***************************************************************************************************</p><p> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6001" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/></p><p> </Conditions></p><p> </FilePathRule></p><p> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6002" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/></p><p> </Conditions></p><p> </FilePathRule></p><p> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6003" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/></p><p> </Conditions></p><p> </FilePathRule></p><p> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6004" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/></p><p> </Conditions></p><p> </FilePathRule></p><p> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6005" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/></p><p> </Conditions></p><p> </FilePathRule></p><p> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6006" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/></p><p> </Conditions></p><p> </FilePathRule></p><p> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6007" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/></p><p> </Conditions></p><p> </FilePathRule></p><p> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6008" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/></p><p> </Conditions></p><p> </FilePathRule></p><p> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6009" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/></p><p> </Conditions></p><p> </FilePathRule></p><p> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b600a" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/></p><p> </Conditions></p><p> </FilePathRule></p><p># End of whitelisting path rules for DLL</p><p> </RuleCollection></p><p>"@)</p><p>New-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Property @{ParentID=$parentID;InstanceID="DLL";Policy=$obj}</p><p></p><p># Rule required to prevent blocking packaged apps when rules for EXE are enforced.</p><p>$obj = [System.Net.WebUtility]::HtmlEncode(@"</p><p> <RuleCollection Type="Appx" EnforcementMode="Enabled"></p><p> <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"></p><p> <Conditions></p><p> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"></p><p> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /></p><p> </FilePublisherCondition></p><p> </Conditions></p><p> </FilePublisherRule></p><p> </RuleCollection></p><p>"@)</p><p>New-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Property @{ParentID=$parentID;InstanceID="Storeapps";Policy=$obj}</p><p></p><p>Write-Host "The script has finished the work. The console can be closed or it will be closed automatically after 5 minutes."</p><p>start-sleep 300</p><p>[/CODE]</p><p></p><p><strong><span style="color: rgb(184, 49, 47)">Warning!!!</span></strong></p><p><span style="color: rgb(184, 49, 47)"><strong>I strongly recommend making a System Restore Point before applying the Applocker rules.</strong></span></p><p></p><p>Post updated.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1012726, member: 32260"] In my previous posts, I proposed the Applocker settings similar to Smart App Control (but more usable). Anyway, there exists even more usable setup for Microsoft Defender and Avast. Both AVs can be tweaked for very strong EXE protection. In Microsoft Defender, one can enable the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria". Avast can be tweaked to use Hardened Mode. Also, the recently improved SmartScreen for Explorer can prevent most attacks via EXE files (including EXE embedded in archives and disk images). The idea is simple. Allow in Applocker all EXE files everywhere, except some blocked LOLBins. The protection for MSI, DLL, and packaged apps can still rely on signed files. Scripts are mostly blocked in UserSpace. This protection for MSI, DLL, and Script file types can nicely cover some holes in the protection of Avast and Microsoft Defender. Now, most applications can be installed and used without turning off the Applocker protection. One can expect some blocks from the AV, especially for unsigned niche programs. This setup can be applied on the computers of casual users, but the occasional help from the advanced user will be still required. [CODE]<# .SYNOPSIS This function creates new AppLocker settings using MDM WMI Bridge. All previous rules will be deleted. ** EXE - all EXE allowed everywhere except LOLBins (blocked as Administrator too) ** DLL and MSI - blocked in some user folders (Documents, Favorites, Music, Pictures, Videos). The settings include the below block rules: <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/> The paths must be corrected if one or more user folders are redirected to OneDrive or another location. ** DLL rules block also Administrators. Allow and Deny rules for DLL: Allow all files located in the Program Files folder Allow all files located in the Windows folder (with some exceptions for blocked writable folders) Allow all signed files located in UserSpace (with some exceptions for blocked folders; can be edited by the user) Allow some paths for unsigned files located in UserSpace (can be edited by the user) ** MSI rules do not block Administrators. Allow rules: Allow all files in the folder %systemdrive%\Windows\Installer Allow all signed files everywhere (with some exceptions in Windows folder and UserSpace) ** Script rules do not block Administrators. Allow rules: Allow all files located in the Program Files folder Allow all files located in the Windows folder (with some exceptions for blocked writable folders) ** StoreApps rule blocks also Administrators. Allow rule: Allow all signed files everywhere (with some exceptions in Windows folder and UserSpace) -------------------------------------------------------------------------------------------------- The script uses some fake rules that are inactive. The fake path rules are: A:\DLL_FakeWhitelistedPath\* A:\DLL_FakeBlockedPath\* A:\MSI_FakeBlockedPath\* These rules have got the unused drive letter (A:), so they are always inactive, except when the fake path is replaced by the real folder/file path. Fake whitelisting rules require unique GUIDs. The fake publisher block rule for LOLBins will be active after replacing the fake ProductName with the asterisk, for example: ProductName="HomeApplocker:POWERSHELL.EXE" ----> ProductName="*" Similar fake rules are for powershell_ise.exe, and HH.exe . The fake publisher block rule requires a unique GUID and the correct publisher info. --------------------------------------------------------------------------------------------------- How to install applications. Most of the EXE installers (signed or not) can be installed and used with enabled protection. The signed MSI installers can be installed and used with enabled protection. Some applications can still refuse to work properly after the installation if they try to run some unsigned DLL libraries in UserSpace. This should be checked via Windows Event Log (Applocker IDs: 8007, 8004). --------------------------------------------------------------------------------------------------- .CREDITS These scripts are based on the script for EXE files made by Sandy Zeng (Sandy Tsang). https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/AppLocker #> # Deleting all previous policies $namespaceName = "root\cimv2\mdm\dmmap" #Do not change this $GroupName = "AppLocker001" #Your own groupName $parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName" $classNameDLL = "MDM_AppLocker_DLL03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Filter "ParentID=`'$parentID`' and InstanceID='DLL'" | Remove-CimInstance $classNameEXE = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Filter "ParentID=`'$parentID`' and InstanceID='EXE'" | Remove-CimInstance $classNameMSI = "MDM_AppLocker_MSI03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Filter "ParentID=`'$parentID`' and InstanceID='MSI'" | Remove-CimInstance $classNameScript = "MDM_AppLocker_Script03" #Do not change this Get-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Filter "ParentID=`'$parentID`' and InstanceID='Script'" | Remove-CimInstance $classNameStoreApps = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03" Get-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Filter "ParentID=`'$parentID`' and InstanceID='Storeapps'" | Remove-CimInstance Add-Type -AssemblyName System.Web #This is example Rule Collection for EXE (*.exe, *.com) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Exe" EnforcementMode="Enabled"> <FilePathRule Id="9cff703a-6dbd-48f5-8ce3-94f8228b6ac4" Name="Allow all files everywhere" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="*"/> </Conditions> </FilePathRule> # Publisher block rules for LOLBins # *********************** <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96000" Name="POWERSHELL.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:POWERSHELL.EXE" BinaryName="POWERSHELL.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96001" Name="POWERSHELL_ISE.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:POWERSHELL_ISE.EXE" BinaryName="POWERSHELL_ISE.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96003" Name="RUNAS.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="RUNAS.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96004" Name="CIPHER.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CIPHER.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96005" Name="MSBUILD.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MSBUILD.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96006" Name="InstallUtil.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="InstallUtil.exe"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96007" Name="REGSVCS.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="REGSVCS.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96008" Name="WMIC.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="WMIC.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a96009" Name="PRESENTATIONHOST.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="PRESENTATIONHOST.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600a" Name="JSC.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="JSC.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600b" Name="MSHTA.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MSHTA.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600c" Name="MICROSOFT.WORKFLOW.COMPILER.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MICROSOFT.WORKFLOW.COMPILER.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="f493e22c-63a9-4811-ab94-c5d8a8a9600d" Name="HH.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="HomeApplocker:HH.EXE" BinaryName="HH.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj} #This is example Rule Collection for MSI (*.msi, *.msp, *.mst) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Msi" EnforcementMode="Enabled"> <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="Allow all signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> </FilePublisherCondition> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> # Custom Block path rules in UserSpace for MSI (signed and unsigned) # ***************************************************************** <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/> # Fake paths that can be edited by the user (replace A:\MSI_FakeBlockedPath with a real path):: <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> <FilePathCondition Path="A:\MSI_FakeBlockedPath\*"/> # End of Block path rules in UserSpace for MSI. </Exceptions> </FilePublisherRule> <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="Allow files in the folder %systemdrive%\Windows\Installer." Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\Installer\*" /> </Conditions> </FilePathRule> <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Property @{ParentID=$parentID;InstanceID="MSI";Policy=$obj} #This is example Rule Collection for scripts (*.bat, *.cmd, *.vbe, *.vbs, *.jse, *js, *.wsf, *.wsh) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Script" EnforcementMode="Enabled"> <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="Allow scripts in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="Allow scripts in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> </Exceptions> </FilePathRule> <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Property @{ParentID=$parentID;InstanceID="Script";Policy=$obj} #This is example Rule Collection for DLL (*.cpl, *.dll, *.ocx, *.rll) $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Dll" EnforcementMode="Enabled"> <FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="Allow DLLs in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> </Exceptions> </FilePathRule> <FilePathRule Id="3737732c-99b7-41d4-9037-9cddfb0de0d0" Name="Allow DLLs in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> </FilePathRule> # Global Allow rule in UserSpace for signed DLL <FilePublisherRule Id="1f0d0ec5-8523-4aa0-976a-ad2d2c21eed7" Name="Allow all Signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> <Exceptions> # Writable folders <FilePathCondition Path="%WINDIR%\debug\wia\*" /> <FilePathCondition Path="%WINDIR%\registration\crmlog\*" /> <FilePathCondition Path="%SYSTEM32%\com\dmp\*" /> <FilePathCondition Path="%SYSTEM32%\config\systemprofile\appdata\local\packages\wdagrdpclientappcontainer\ac\*" /> <FilePathCondition Path="%SYSTEM32%\drivers\driverdata\*" /> <FilePathCondition Path="%SYSTEM32%\fxstmp\*" /> <FilePathCondition Path="%SYSTEM32%\microsoft\crypto\rsa\machinekeys\*" /> <FilePathCondition Path="%SYSTEM32%\spool\drivers\color\*" /> <FilePathCondition Path="%SYSTEM32%\spool\printers\*" /> <FilePathCondition Path="%SYSTEM32%\spool\servers\*" /> <FilePathCondition Path="%SYSTEM32%\tasks\*" /> <FilePathCondition Path="%SYSTEM32%\tasks_migrated\*" /> <FilePathCondition Path="%WINDIR%\tasks\*" /> <FilePathCondition Path="%WINDIR%\temp\*" /> <FilePathCondition Path="%WINDIR%\tracing\*" /> # Custom Block path rules in UserSpace for DLL (signed and unsigned) # ***************************************************************** <FilePathCondition Path="%OSDRIVE%\Users\*\Documents\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Favorites\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Music\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Pictures\*"/> <FilePathCondition Path="%OSDRIVE%\Users\*\Videos\*"/> # Fake paths that can be edited by the user (replace A:\DLL_FakeBlockedPath with a real path):: <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> <FilePathCondition Path="A:\DLL_FakeBlockedPath\*"/> # End of Block path rules in UserSpace for DLL. </Exceptions> </FilePublisherRule> # Custom Allow path rules in UserSpace for DLL (replace A:\DLL_FakeWhitelistedPath , by the real path) # *************************************************************************************************** <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6001" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6002" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6003" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6004" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6005" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6006" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6007" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6008" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b6009" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> <FilePathRule Id="ccff703a-6dbd-48f5-8ce3-94f8228b600a" Name="" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="A:\DLL_FakeWhitelistedPath"/> </Conditions> </FilePathRule> # End of whitelisting path rules for DLL </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Property @{ParentID=$parentID;InstanceID="DLL";Policy=$obj} # Rule required to prevent blocking packaged apps when rules for EXE are enforced. $obj = [System.Net.WebUtility]::HtmlEncode(@" <RuleCollection Type="Appx" EnforcementMode="Enabled"> <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection> "@) New-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Property @{ParentID=$parentID;InstanceID="Storeapps";Policy=$obj} Write-Host "The script has finished the work. The console can be closed or it will be closed automatically after 5 minutes." start-sleep 300 [/CODE] [B][COLOR=rgb(184, 49, 47)]Warning!!![/COLOR][/B] [COLOR=rgb(184, 49, 47)][B]I strongly recommend making a System Restore Point before applying the Applocker rules.[/B][/COLOR] Post updated. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
