none
Strange applocker problem with Zoom Outlook Plugin RRS feed

  • Question

  • Hi,

    i already asked this question in the german forum but got no satisfying answer so lets try again:

    https://social.technet.microsoft.com/Forums/de-de/0d924bde-5815-42ad-a4af-bbbd8773896d/seltsames-applocker-problem-mit-zoom-outlook-plugin?forum=win10itprogeneralDE

    we have a strange Zoom Outlook Plugin problem on some devices which appears from time to time but not reproducible on some devices but works quite normal on most devices.

    The applocker default rules for %Windows% and %ProgramFiles% are set and there are a number of exceptions for various things.

    The Zoom Outlook Plugin is located in "C:\Program Files (x86)\Zoom\Zoom Outlook Plugin\plugin_Launcher.exe" and should be covered by the default rule. And it is also covered and working by most devices. For some devices where it doesn't work, you can find the following in the Applocker Eventlog under Details (I changed UserID and Computer):

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-AppLocker" Guid="{cbda4dbf-8d5d-4f69-9578-be14aa540d22}" />
      <EventID>8004</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2020-09-22T23:44:01.485166700Z" />
      <EventRecordID>87716</EventRecordID>
      <Correlation />
      <Execution ProcessID="8788" ThreadID="5008" />
      <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
      <Computer>pcname.domain.xyz.de</Computer>
      <Security UserID="S-1-5-21-abc-def-xyz-yxy" />
      </System>
    - <UserData>
    - <RuleAndFileData xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">
      <PolicyNameLength>3</PolicyNameLength>
      <PolicyName>EXE</PolicyName>
      <RuleId>{6eadb593-a01f-4b45-b44b-35f8e5570b1e}</RuleId>
      <RuleNameLength>35</RuleNameLength>
      <RuleName>%PROGRAMFILES%\Eckels Engineering\*</RuleName>
      <RuleSddlLength>256</RuleSddlLength>
      <RuleSddl>D:(XD;;FX;;;S-1-1-0;((APPID://PATH Contains "%PROGRAMFILES%\ECKELS ENGINEERING\*") && (!((Exists APPID://SHA256HASH) && (APPID://SHA256HASH Any_of {#a913ca05d60f4645e731d6a99f97e4792d121760ffa74b143fadb7ec4cc9f8f4, #0c8dc651fddefdf0b8860741639b1c16a5ef1...</RuleSddl>
      <TargetUser>S-1-5-21-abc-def-xyz-yxy</TargetUser>
      <TargetProcessId>8000</TargetProcessId>
      <FilePathLength>67</FilePathLength>
      <FilePath>C:\Program Files (x86)\Zoom\Zoom Outlook Plugin\plugin_Launcher.exe</FilePath>
      <FileHashLength>0</FileHashLength>
      <FileHash />
      <FqbnLength>1</FqbnLength>
      <Fqbn>-</Fqbn>
      <TargetLogonId>0x474fe3</TargetLogonId>
      </RuleAndFileData>
      </UserData>

     </Event>

    I need the rule "%PROGRAMFILES%\Eckels Engineering\*" for a software which requires the write permissions of the users in the program folder "%PROGRAMFILES%\Eckels Engineering\" because otherwise the program does not work properly and therefore I forbid everything there first and then exclude certain hash values from being forbidden (to ensure that users cannot simply put malware.exe there despite existing write permissions and that it would be executed afterwards).

    I don't understand why the Outlook Plugin falls under this rule because the path is completely different.

    On the affected devices the group policies are applied cleanly.

    For ideas I would be very grateful.

     

    Thursday, October 8, 2020 6:46 AM