LinkBack URL
About LinkBacks
Reply With QuoteMake a Path rule, then just type in the name. All files with that name will pass, regardless of where they live.
Getting Started on GPanswers.com
AppLocker and getpaths.cmd
Hello,
We recently watched your TechEd presentation on AppLocker, which was excellent btw, but we are in audit mode and are seeing a large number of MSI and Script Warnings related to the getpaths.cmd file in the AppLocker audit log. How can we set an AppLocker rule to allow this? It appears that the path sometimes changes as well as the bits, so path and hash rules may be out.
Thanks,
Joe
30+ Helpful Posts
50+ Helpful Posts
Make a Path Rule
Make a Path rule, then just type in the name. All files with that name will pass, regardless of where they live.
-Jeremy Moskowitz
GPanswers.com
PolicyPak.com
Getting Started on GPanswers.com
Will the path rule work if the path changes?
Hello Jeremy,
Thank you for the reply. so path and hash rules may be out. Specifically for getpaths.cmd, it appears that the path for this command sometimes changes as well as the bits. Is there a way to use wildcards in the path for applocker?
Thanks,
Joe
30+ Helpful Posts
50+ Helpful Posts
Not super sure
Try it.. and report back. :-)
-Jeremy Moskowitz
GPanswers.com
PolicyPak.com
Getting Started on GPanswers.com
I think it works
I put the following path into Script Rules in AppLocker: C:\Users\*\AppData\Local\Temp\*\getpaths.cmd
I am using auditing and now I no longer see the following error which did appear prior to adding the above path Script Rule:
Log Name: Microsoft-Windows-AppLocker/MSI and Script
Source: Microsoft-Windows-AppLocker
Date: 3/31/2011 1:18:53 PM
Event ID: 8006
Task Category: None
Level: Warning
Keywords:
User: Domain\User
Computer: ServerName
Description:
%OSDRIVE%\USERS\Username\APPDATA\LOCAL\TEMP\3\GETP ATHS.CMD was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-AppLocker" Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" />
<EventID>8006</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2011-03-31T17:18:53.238352200Z" />
<EventRecordID>133</EventRecordID>
<Correlation />
<Execution ProcessID="4600" ThreadID="9004" />
<Channel>Microsoft-Windows-AppLocker/MSI and Script</Channel>
<Computer>ComputerName</Computer>
<Security UserID="S-1-5-21-1585978019-738875415-1139884978-2612" />
</System>
<UserData>
<RuleAndFileData xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">
<PolicyName>SCRIPT</PolicyName>
<RuleId>{00000000-0000-0000-0000-000000000000}</RuleId>
<RuleName>-</RuleName>
<RuleSddl>-</RuleSddl>
<TargetUser>S-1-5-21-15859-7415-11378-2612</TargetUser>
<TargetProcessId>4600</TargetProcessId>
<FilePath>%OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\T EMP\3\GETPATHS.CMD</FilePath>
<FileHash>C9048D3B02C723EB8A3ABAE5129FB6B6F634D43E 823B197381D534D5</FileHash>
<Fqbn>-</Fqbn>
</RuleAndFileData>
</UserData>
</Event>
