none
AppLocker GP - Blocking an application but nothing in log

    Question

  • Hi,

    We have an AppLocker Domain Group Policy in place which works well, it blocks what it's supposed to and registers events for things it does block, but I am having an issue with one particular application.  

    I have installed the application on a PC which has the policy applied and when I run it the error "Import Error - Failed to load module MSVBVM60.DLL" pops up.  If I check the Event Log under Applocker, the exe is there as allowed to run, with no mention of the error message.

    If I deny the policy to the same PC and update the GP, the application opens fine.

    I have created a Publisher executable rule for the application, and have even gone as far as adding in rules to allow everything for my login account, but I still get the error message above.  DLL rules are set to Auditing only, but I've added rules in for this also and nothing is mentioned in the logs.

    So I have no idea why the application is being blocked and where to apply the rule to let it run.  Does anyone have any other similar experiences or any tips on what I can do to resolve the problem?  I've ran different process monitoring tools but to be honest, I'm not really sure what I'm looking for.

    Thank you

    Friday, February 12, 2016 4:11 PM

All replies

  • Did you run procmon as discussed here?

    • https://social.technet.microsoft.com/Forums/windows/en-US/100be619-9ec0-459b-869d-936e414c7776/applocker-blocking-an-application-even-with-an-allow-all?forum=w7itproappcompat

    id expect you to see a new process (pid) spawn during a working state but not during the failure condition. or, at least thats where id start


    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Saturday, February 13, 2016 4:03 AM
  • Try to exclude the complete application folder.
    Saturday, February 13, 2016 5:33 AM
  • Hi,
    Agree with Mike that please user process monitor to analysis.
    Besides, please capture the screenshot of AppLocker policy and post here.
    It may be helpful to do troubleshooting.

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 15, 2016 2:07 AM
    Moderator
  • Hi, 

    Thank you for your responses so far.  I have run Process Monitor but I'm not exactly sure what to look out for.  I've saved two logs, one run with he policy applied and one without.  The application shows up in both logs, but there are not errors or "Denied" values in the Result column, which is what I would expect to find when I receive the error message with the policy applied.

    I've included the standard Default Rules in the Applocker policy, plus a path rule to allow  the APPDATA folder - %OSDRIVE%\USERS\*\APPDATA\*.

    I've also included a Publisher rule for the Application.  DLL rules are set to Audit only at the moment.

    No other settings are configured for the policy, only AppLocker rules and the Application Identity service.

    Tuesday, February 16, 2016 10:58 AM
  • >> I have run Process Monitor but I'm not exactly sure what to look out for.

    As I said above: id expect you to see a new process (pid) spawn during a working state but not during the failure condition. or, at least thats where id start.

    procmon seems crazy at first, but its actually pretty simple once you get the hang of it. Start by monitoring something you understand, like launch cmd, then from within run notepad. then try to browse to a text file on your desktop. work with the filters by right-clicking stuff and including or excluding it.



    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Wednesday, February 17, 2016 5:20 AM
  • Thanks Mike.  OK I've used procmon to monitor what happens when I run the application.  After I get the error message and stop capturing, the last entry is a RegCloseKey operation for HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer with a SUCCESS result.  There is nothing listed with ACCESS DENIED or anything what I would expect.  I filtered the results to include the exe from Process Name.  If I filter the entire capture to look for ACCESS DENIED results, nothing comes back.

    Very strange! :-(

    Friday, February 19, 2016 12:59 PM
  • Hi,
    Please confirm again that no other related group policy is configured by running gpresult command or using group policy result wizard.
    If you suspect someone, you could unlink the GPO, reboot computer and try again.

    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 01, 2016 9:12 AM
    Moderator