none
Software Restriction Policy issue RRS feed

  • Question

  • Hi everyone,

    I'm trying to setup basic set of SRP rules to prevent some malware infections and it's driving me crazy. 

    Default rule is to deny all executables from running from all locations, except the ones which i defined in white list.

     

    Execution is allowed from this locations only:

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

     

    This generally works just fine.

    The problem is  – Microsoft Office (go figure...). When i attempt to open Office files from Outlook, i get usual error message:

     

    Access to C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE has been restricted by your Administrator by the default software restriction policy level.

     

    This would make complete sense, if this path is not white listed. Otherwise, if you save this file to (e.g.) Desktop, and open it from there, it will work normally. Except if file is not blocked, then it won't open in „Protected  mode“ either unless file is manually unblocked by user. Which is also real joy.

     

    IF i set hash rule to SRP white list policy for each Office program (EXCEL.EXE, WINWORD.EXE, etc), then everything works as charm from any location (protected mode too). But i really don't want to use hash rules for this, as i will have to update them upon every MS Office update. I would like to avoid to use SRP blacklist approach.

     

    My conclusion is that if hash rule works just fine, and path rule is making the trouble, it probably means that Outlook is trying to reach Office executables through some other path. 

    If someone has encountered the same problem, hint to resolve it would be most appreciated. 

    Thanks.

    Friday, April 1, 2016 8:16 AM

Answers

  • Hi Zimzon983,

     

    Based on your description, I agree with you, it could be because Outlook is trying to reach Office executables through some other path.

    According to my research, the Outlook could also reach Office executables through the path (%ProgramFiles%\Common Files).

    There could be other related paths. We could use Process Monitor to capture it.

    https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

    Open Process Monitor then reproduce the issue to capture it,

     

    Based on your situation, I think the easier way is create a path rule for Office.

    Add the path “C:\Program Files\Microsoft Office 15\Root\Office15\” to path rule and set the security level of the path rule to Unrestricted.

     

    Best regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Zimzon983 Wednesday, April 6, 2016 11:37 AM
    Monday, April 4, 2016 11:08 AM
    Moderator
  • Hi Rick_Li,

    Adding the full path of Office installation to Whitelist has resolved the issue.  

    Thank you for this hint.

    Kind regards,

    Zimzon

    Wednesday, April 6, 2016 11:39 AM

All replies

  • Hi Zimzon983,

     

    Based on your description, I agree with you, it could be because Outlook is trying to reach Office executables through some other path.

    According to my research, the Outlook could also reach Office executables through the path (%ProgramFiles%\Common Files).

    There could be other related paths. We could use Process Monitor to capture it.

    https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

    Open Process Monitor then reproduce the issue to capture it,

     

    Based on your situation, I think the easier way is create a path rule for Office.

    Add the path “C:\Program Files\Microsoft Office 15\Root\Office15\” to path rule and set the security level of the path rule to Unrestricted.

     

    Best regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Zimzon983 Wednesday, April 6, 2016 11:37 AM
    Monday, April 4, 2016 11:08 AM
    Moderator
  • Hi Rick_Li,

    Thank you for your reply, it's appreciated.

    I have already tried to add the complete path even with executable included "C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE" but unfortunately, that does not work either. 

    I'll also try your suggestion to go with Common Files, but i'm skeptical because it should work already based on third path rule.

    Process Monitor was not huge help for me so far. But I have tried to launch it SRP-free environment to see which folders is EXCEL.EXE trying to access. I'll try opposite way and get back with results.

    Thanks again,

    Regards,

    Zimzon

    Monday, April 4, 2016 11:19 AM
  • Hi Rick_Li,

    Adding the full path of Office installation to Whitelist has resolved the issue.  

    Thank you for this hint.

    Kind regards,

    Zimzon

    Wednesday, April 6, 2016 11:39 AM
  • Hi Zimon983,

    It is glad to hear that you have solved this issue.

    Also, thanks for sharing your experience and solution here. 

    cheers.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 7, 2016 1:05 AM
    Moderator