Software restriction Policies to Windows Home

Discussion in 'Tutorials & Guides' started by Windows_Security, Sep 18, 2016.

  1. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,162
    29,620
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    @Windows_Security does the SRP reg file is still valid on the latest build/cumulative update of Win10?
     
    Andy Ful likes this.
  2. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,076
    4,581
    business
    Poland
    Windows 10
    Microsoft
    It works for me on Windows Home and Pro.:)
     
    Sunshine-boy and Umbra like this.
  3. xpdx

    xpdx New Member

    Jan 2, 2016
    5
    0
    Denmark
    Can anyone please explain this?

    Antivirus scan for 5debfce0158cd2249ecea19f2ac9d686b7fca3f68319fb3e302708d62202808a at 2017-04-27 19:20:17 UTC - VirusTotal

    SHA256: 5debfce0158cd2249ecea19f2ac9d686b7fca3f68319fb3e302708d62202808a
    File name: softwarepolicy.exe
    Detection ratio: 4 / 59
    Analysis date: 2017-04-27

    Bkav - W32.HfsAtITSTIL.514A 20170427
    Qihoo-360 - HEUR/QVM10.1.0000.Malware.Gen 20170427
    Rising - Trojan.Win32.Dynamer.bt (cloud:EntDEr4kHFC) 20170427
    SentinelOne - static engine - malicious

    Thank you.
     
  4. Mr.X

    Mr.X Level 6

    Aug 2, 2014
    289
    877
    PC Tech
    Mexico
    Me. False positive.

    If it was a threat, other vendors would already tagged it as malicious since a long time ago.
     
    Andytay70 and xpdx like this.
  5. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    613
    2,875
    Holland
    Windows 7
    Default-Deny
    #25 Windows_Security, Nov 8, 2017
    Last edited: Nov 8, 2017
    Got a surprise on Windows 10 Home (64 bits), With Basic User as default level you are allowed to run programs from task bar which are in user folders.

    Seems that the reg files I posted work OK. Despite bad performance results of WD on AV-Comparatives, I hardly notice a difference (cold startup of Chrome takes 0.1 seconds longer, repetative startups are the same with or without WD). So with UAC blocking unsigned elevation, SRP blocking user space execution, WD controlled folder access and WD exploit protection, i frankly my dear don't see a need for third party security software.
     
    Solarlynx, GonzitoVir, XhenEd and 2 others like this.
  6. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,076
    4,581
    business
    Poland
    Windows 10
    Microsoft
    #26 Andy Ful, Nov 8, 2017
    Last edited: Nov 8, 2017
    Windows Pro owner? Use Software Restriction Policies!
    Windows Pro owner? Use Software Restriction Policies!
    I solved this issue in Hard_Configurator.
    .
    Edit
    The path to the TaskBar:
    c:\Users\User_Name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\
    The shortcut to the application is created here.
    With Default Security Level = Basic User, the shortcuts can run executables from anywhere.
    That behavior can be changed by explict Dissalowed rules for shortcuts or for executables.
     
    Sunshine-boy and XhenEd like this.
  7. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    613
    2,875
    Holland
    Windows 7
    Default-Deny
    #27 Windows_Security, Nov 8, 2017
    Last edited: Nov 9, 2017
    @Andy Ful

    Yes I know about the shortcuts (links plus easy run as admin is why I like default level Standard User) .

    But the surprising part was that I could run APC.exe from the (Albelli Photobook Creator) from C:\Users\ymsna\AppData\Local\Albelli Fotoboeken) folder, while any other program is blocked trying to run from that folder. I copied APC.exe to another folder and SRP blocked it.

    So it seems that we have a possible scoop here: when you allow a program in Controlled Folder Access, it bypasses SRP.

    Could you ALLOW a program to Controlled Folder Access (see picture) and check whether it bypasses BASIC USER and DISALLOWED?

    upload_2017-11-9_1-59-27.png
     
    Av Gurus and XhenEd like this.
  8. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,076
    4,581
    business
    Poland
    Windows 10
    Microsoft
    #28 Andy Ful, Nov 9, 2017
    Last edited: Nov 9, 2017
    Controlled Folder Access turned ON. Allowed one application c:\z\alternatestreamview.exe (blocked normally by default deny SRP <--- Hard_Configurator).
    Explorer, Total Commander, cmd.exe, and SoftMaker Office are not added to allowed applications in Controlled Folder Access.
    .
    Results of my test:
    1. Application added to allowed applications in Controlled Folder Access is still blocked by SRP.
    2. Application not allowed in Controlled Folder Access, ran elevated:
      • Cannot copy files to protected folders.
      • Cannot delete files from protected folders.
      • Opened documents are protected against modifications.
    3. Windows Explorer and Total Commander (ran as standard user):
      • Can copy files to protected folders.
      • Can delete files from protected folders.
    4. cmd.exe (ran as standard user or as administrator):
      • Cannot copy files to protected folders.
      • Cannot delete files from protected folders.
      • Opened documents are protected against modifications.
    5. Softmaker Office 2012 ran as standard user:
      1. Cannot copy files to protected folders.
      2. Files can be deleted from SoftMaker Office after accepting UAC prompt.
      3. Opened documents are protected against modifications.
    I noticed a strange thing, that follows from the above. Softmaker Office 2012 ran as standard user could delete files (UAC prompt), but when ran elevated it could not. I would expect rather the opposite.
    The second strange thing is that Total Commander ran as standard user could copy/delete files from protected folders. If so, then the ransomware will soon do it too (in theory).
    It may be that Controlled Folder Access has some bugs, so it can behave somewhat different on different computers.
     
  9. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,076
    4,581
    business
    Poland
    Windows 10
    Microsoft
    #29 Andy Ful, Nov 9, 2017
    Last edited: Nov 9, 2017
    It seems that you have the file path (not folder path):
    C:\Users\ymsna\AppData\Local\Albelli Fotoboeken\APC.exe
    in SRP whitelist. So, APC.exe can run from this path but no other EXE. Also, all EXEs (APC.exe too) are blocked by SRP in other folders (in User Space).
     
    XhenEd likes this.
  10. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    613
    2,875
    Holland
    Windows 7
    Default-Deny
    #30 Windows_Security, Nov 9, 2017
    Last edited: Nov 9, 2017
    Yes in Secure Folder Access, not SRP, thanks for testing. Some unexpected results mhh.

    When UAC was introduced (Vista), I could set internet facing applications to run as basic user. Running them in Basic User box, prevented them to elevate, In Windows 7 that behavior changed (they were allowed to elevate). In Windows 7 running Firefox as basic user, allows FF to run from taskbar and start menu. When you navigate to FF with Windows Explorer and click to execute FF, Windows shows the "SRP' prompt (Admin prevented ....). In Window 8.1 this behavior changed (Basic user same as default deny). So it looks that first Secure Folders implementation has some unexpected by results/
     
  11. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,076
    4,581
    business
    Poland
    Windows 10
    Microsoft
    I still have the impression that you have some non-standard settings. SRP in Windows 7 are the same as in Windows 8+, and different from Windows Vista. From Windows 7+ there is a very little difference between Basic User and Disallowed, Default Security Levels. The difference is visible when dealing with shortcuts. I do not try to force you, but please try this (assuming that you are using Admin Account, not SUA):
    1. Run APC.exe and check its integrity level. If it is running for sure as standard user then the below points are necessary to reset SRP settings.
    2. Disable SRP using gpedit.exe - those policy settings can interfere with Hard_Configurator settings.
    3. Delete the registry key: HKLM\Software\Policies\Microsoft\Windows\Safer
    4. Delete the registry key: HKCU\Software\Policies\Microsoft\Windows\Safer
    5. Install and run Hard_Configurator, next press <Recommended SRP> from the main window.
    6. Press <Whitelist By Path> to see if the file path of APC.exe is on the White List (Hard_Configurator can automatically add some autoruns to the White List).
    7. Restart the system.
    Next, you can test again the behavior of APC.exe. It should be blocked (if not whitelisted by SRP).
    I installed Abelli Photo Book, it has now the new vendor (Bonusprint), turned on Controlled Folder Access and added the APC.exe path to allowed applications. All worked normally. SRP blocked APC.exe and when whitelisted by file path (from Hard_Configurator) I could run it and had access to protected folders.
    If the above curation will not help, then I would be very surprised.:)
     
  12. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,076
    4,581
    business
    Poland
    Windows 10
    Microsoft
    There is a simpler method to check the impact of Controlled Folder Access to SRP. Simply remove the APC.exe from allowed applications in Controlled Folder Access, restart the system and check if APC.exe is now blocked by SRP. If it is not, then deactivate Controlled Folder Access, restart, and check APC again.:)
     
    XhenEd likes this.
  13. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    613
    2,875
    Holland
    Windows 7
    Default-Deny
    Well I removed and added the registry keys, nothing strange there.

    Just to check we are not cross talking and misunderstanding, you tested the following scenario (on Windows10 64 bits)
    1. Set your SRP to basic user
    2. No (allow) rule for APC.exe
    3. Only default rules (%ProgramW6432%, %ProgramFiles(x86)%, %ProgramFiles%, %SystemRoot%)
    4. Enable Controlled Folder Access
    5. Allow apc.exe

    Thanks
     
    XhenEd likes this.
  14. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,076
    4,581
    business
    Poland
    Windows 10
    Microsoft
    Hard_Configurator uses SRP with Default Security Level set to Basic User, but also uses some Disallowed/Unrestricted rules to stop shortcuts from executing EXE files from the User Space. Without those additional rules, the Default Security Level set to Basic User causes the loophole = shortcut can execute EXE file in the User Space that is not whitelisted.
    Did you try deactivating Controlled Folder Access, as I posted in my previous post? That would be the simplest way to check the impact of Controlled Folder Access on SRP.:)
    See you later I must go out.:)
     
    harlan4096 likes this.
  15. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    613
    2,875
    Holland
    Windows 7
    Default-Deny
    @Andy Ful
    Thx for explaining :) everything works as intended. I thought we were cross talking (at least I did), so now I am on the same as you again,
     
    Andy Ful likes this.
  16. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,076
    4,581
    business
    Poland
    Windows 10
    Microsoft
    :)(y)
     
Loading...
Similar Threads Forum Date
How do Software Restriction Policies work (part 3) ? Tutorials & Guides Apr 14, 2017
How do Software Restriction Policies work (part 2) ? Tutorials & Guides Mar 10, 2017
How do Software Restriction Policies work (part 1) ? Tutorials & Guides Mar 6, 2017