none
AppLocker not behaving as expect when file has Alternate Data Streams and rule is not applied to everyone.

    Question

  • AppLocker not behaving as expect when file has Alternate Data Streams and rule is not applied to everyone. I have a publisher rule setup for MS Office 2010 as in the picture

    When this is set to Allow for Everyone Office works as expected. However if I set the rule to Allow for Domain Users I have an issue.   I'll use an Excel document as an example. If the file I am using has Alternate Data Streams attached with ZoneID=3 then I get this error

    And inside the Event Viewer I see

    If I remove the Data Stream or set it to ZoneID=0 then the application works fine. The application also works if the Everyone groups is given allow on the AppLocker rule.

    So the question is: What is happening between AppLocker and Office when it comes to ADS that is preventing Office from running correctly?

    Oh by the way the normal AppLocker is blocking this application is never seen.

    • Edited by ZenShaze Monday, June 18, 2012 8:14 PM Align Pictures
    Monday, June 18, 2012 8:13 PM

Answers

  • I got an e-mail yesterday from a Microsoft employee, thanks Tim.  The e-mail was about KB2532445-v2, having to do with Office macros and AppLocker.  Not really sure how this applies to what I reported here, but the hotfix he gave me worked.

    After Applying the hotfix the rules no longer gave the error and office worked as expected.

    Again thank you Tim.


    • Marked as answer by ZenShaze Thursday, June 28, 2012 10:42 PM
    Thursday, June 28, 2012 10:42 PM

All replies

  • please try to add group "authenticated users" instead "domain users". I suspect some tasks run as local system.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Thursday, June 21, 2012 8:30 AM
  • I will give that a try but it will not really do what I am trying to accomplish.  And I guess I should have put that in here.  I am trying to make a rule that does not apply to everyone.  “Authenticated users” would not remove the accounts I am trying to not have the rule apply to.

    I need the limited accounts to be able to run part of office but not all of it so I have a rule for that one part that works for everyone and this rule that works for everyone else (Domain users).  The limited accounts are not in the domain users group, but they would be in the “authenticated users”.

    Thursday, June 21, 2012 10:24 AM
  • So I tried "Authenticated users" and I had the same issue as Domain Users. And really it would not have solved my problem anyway even if it did work. To test this I made a test machine and created a local AppLocker rule.

    TEST 1

    I am using Word this time, the rule is set for a group called "Office Users" (Did not want to use Domain Users again because I think people were getting confused by its use) Again when trying to open a File with ADS I get an error, slightly different with word. But the AppLocker event error is the same.

    If I remove the ADS or set the ZoneID to 0 it opens fine and if I set the rule to "everyone" it works fine.

    TEST 2

    Repeated the test with Excel and I have the same issues as in the original post.

    Looking at the AppLocker events, I see that when running the file with ADS it generates 2 events. The first one is successful and the second one fails. I believe that the second one is when the application is trying to switch to protected view, and this is what is causing the application to fail.

    So at this point I would say this is a repeatable Bug; and I think it has to do with the switch to protected view.

    At this point I cannot use AppLocker to limit the use of Office 2010 to a Group.


    • Edited by ZenShaze Sunday, June 24, 2012 3:55 PM Align Pictures
    Sunday, June 24, 2012 3:55 PM
  • I got an e-mail yesterday from a Microsoft employee, thanks Tim.  The e-mail was about KB2532445-v2, having to do with Office macros and AppLocker.  Not really sure how this applies to what I reported here, but the hotfix he gave me worked.

    After Applying the hotfix the rules no longer gave the error and office worked as expected.

    Again thank you Tim.


    • Marked as answer by ZenShaze Thursday, June 28, 2012 10:42 PM
    Thursday, June 28, 2012 10:42 PM