none
Software Restriction Polices. Block CAB files on desktop not working. (other file types work perfectly)

    Question

  • I am trying to block .cab files in selected paths, but the path rule doesn't work. I have several other restrictions for exe,scr and also a test one of xlsx.

    These are all blocking successfully. However the cab rule which sits next to the all the others rules, does not block cabs.

    At first I thought maybe cab file are not affected because they are data files of the Explorer.exe program. (Meaning you feed the CAB file to the Explorer.exe to process. The file itself doesn't seem to execute).

    So as a test I added the .xlsx ext as a test. As this is a data file of the Excel.exe program. However it does block successfully.

    Information:

    -The rules are running under a computer GPO.

    -I have tried removing and re-adding the rule.

    -Every other rule works as expected.

    -I have added CAB files types in the "Designated File Types".

     

    Examples of the rules are:

    %UserProfile%\Desktop\*.exe    Blocks Successfully

    %UserProfile%\Desktop\*.cab    Ignores entry

    %UserProfile%\Desktop\*.scr     Blocks Successfully

    %UserProfile%\Desktop\*.xlsx    Blocks Successfully

    Anyone know why?

    Geoff.



    • Edited by to_Geoff Thursday, November 19, 2015 10:41 PM formatting issues.
    Thursday, November 19, 2015 10:39 PM

All replies

  • Hi, to_Geoff

    We are testing in our lab environment to do troubleshooting  based on your scenario.

    If we have any update, you will know it.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 20, 2015 9:01 AM
    Moderator
  • Hi

    Sorry that it takes me so long to get back to you. I have tested in my local lab and I can reproduce the same result. Seems the path rule just doesn’t work for .cab file.

    Windows uses Windows Explorer to open cab files. Personally, it seems Windows treats a cab file like a folder instead of a file, which could be the possibility why group policy could not be applied correctly.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, November 23, 2015 7:54 AM
    Moderator
  • Thanks for your investigation Wendy,

    Is this by design, or will a solution be investigated?

    Regards,

    Geoff.

    Monday, November 23, 2015 8:36 AM
  • Hi Geoff,

    I’ve already made some investigation on this, but failed to find a solution. I didn’t find any documentation about this, personally I would agree that this is kind of by design.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 24, 2015 2:31 AM
    Moderator
  • > %UserProfile%\Desktop\*.cab    Ignores entry
    > %UserProfile%\Desktop\*.xlsx    Blocks Successfully
     
    That makes me wonder - it should allow xlsx as well as cab or block both...
     
     
    According to this doc, SRP relies on ShellExecute and CreateProcess
    which both call SaferIdentifyLevel to determine whether the current
    executable is allowed. Since data files do not launch by themselves but
    the assigned application instead (explorer.exe or excel.exe), I would
    expect both above rules not to work.
     
    And from the above doc:
     > If the file type of the shortcut’s (.lnk) target is not an executable
     > file directly, such as a .doc file, and if .doc is included in
     > Designated File Types, software restriction policies rules are
     > applied to the .doc file. If .doc is not included in Designated File
     > Types,ShellExecute runs the handler with specified options (such as
     > running “WinWord filename.doc”). At this point, CreateProcess applies
     > software restriction policies to the application, WinWord, and not to
     > the filename.doc, which was the actual target of the .lnk.
     
    To me this means that cab should be blocked as well as xlsx, and this
    makes me declare this a bug (or "by design"?) in SRP.
     
    Tuesday, November 24, 2015 11:36 AM
  • That's is my conclusion to. A bug.

    Unfortunately since a fix is not pending, I will have to live without it. Thanks for your input. (And Wendy as well).

    Geoff.

    Wednesday, November 25, 2015 12:21 AM