none
Windows 7 Enterprise Applocker Publishing Rules not Working

    问题

  • Hello,

    I can't seem to get any of the publisher rules to work for applocker. The application Identity service is running. The operation logs for AppID mark the executables with a status of 0xfffffffe (I don't know what that means.) and a blank Publishername. The files show good digital signatures. The applocker log files shows that they are hitting ruleID {00000000-0000-0000-0000-000000000000} which i'm assuming that it didn't hit any specific rules and denying by default. My publisher rule is the generic Allow Everyone Signedby*. I've tested more specifice purblisher rules but  they show same results. My theory is that AppID is not communicating with the Cryptographic Service, CAPI2. Can anyone shine a light on this?

    Update: I am getting certain files to hit the generic rule but files in the user profile are still not being processed. Does network connectivity affect the processing of publisher rules?

    Update: The problem appears to be related to certain digital signatures. Digital signatures signed with SHA256 algorithms do not seem to hit my publisher rules.

    Running in FIPS mode as the culprit has been ruled out.

    Shared Log: https://drive.google.com/file/d/0B4TPEx6HOMazd3lFMnFYWGFWb2s/view?usp=sharing

    CAPI2 log has entries like:


    - System
    - Provider
    [ Name] Microsoft-Windows-CAPI2
    [ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
    EventID 30
    Version 0
    Level 2
    Task 30
    Opcode 0
    Keywords 0x4000000000000001
    - TimeCreated
    [ SystemTime] 2017-06-12T20:20:35.770336500Z
    EventRecordID 9578170
    Correlation
    - Execution
    [ ProcessID] 1224
    [ ThreadID] 9940
    Channel Microsoft-Windows-CAPI2/Operational
    Computer xxxx@xxx.com
    - Security
    [ UserID] S-1-5-19
    - UserData
    - CertVerifyCertificateChainPolicy
    - Policy
    [ type] CERT_CHAIN_POLICY_AUTHENTICODE
    [ constant] 2
    - Certificate
    [ fileRef] 5A9272CE76A9415A4A3A5002A2589A049312AA40.cer
    [ subjectName] Google Inc
    - CertificateChain
    [ chainRef] {90DD265D-23A7-4CF3-89C9-59247FC70C86}
    - Flags
    [ value] 0
    - AuthenticodeAdditionalPolicyInfo
    - RegPolicySetting
    [ value] 20000
    [ WTPF_IGNOREREVOCATIONONTS] true
    - Status
    [ chainIndex] 0
    [ elementIndex] 0
    - EventAuxInfo
    [ ProcessName] svchost.exe
    - CorrelationAuxInfo
    [ TaskId] {16CA58E6-1D61-495D-B7A4-C88E8D5A4816}
    [ SeqNumber] 16
    - Result The revocation process could not continue - the certificate(s) could not be checked.
    [ value] 800B010E


    Shared CAPI2 log: https://drive.google.com/file/d/0B4TPEx6HOMazX3VoVmJOSng3bVE/view?usp=sharing


    2017年6月8日 17:43

全部回复

  • Hi, 

    To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Each signing certificate MUST chain up to trusted root certification authority that is installed in LocalComputer store. 

    Please install the update for some untrusted certificates: 

    Note:  After this update is installed, customers benefit from quick automatic updates of untrusted certificates. 


    https://support.microsoft.com/en-us/help/2677070/an-automatic-updater-of-untrusted-certificates-is-available-for-windows-vista,-windows-server-2008,-windows-7,-and-windows-server-2008-r2

    For further troubleshooting, please help to upload the event log onto OneDrive and share the link here for our research: save the whole events as evtx file. 

    https://technet.microsoft.com/en-us/library/ee844150(v=ws.11).aspx


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2017年6月12日 5:26
    版主
  • Hello,

    Thanks for replying. After initial troubleshooting the problem isn't that it doesn't read certificates. It is certificates specifically signed with SHA-256 algorithm. It can read and process SHA-1 certificates fine. Now that I think about it, this is probably caused by running the computers in FIPS mode.

    2017年6月12日 16:45
  • One of the EXEs that do not match the Publishers rule is Chrome and of course it does chain up to a trusted root.
    2017年6月12日 17:22
  • Hi, 

    I find this information in your event log: 

    Would you please make sure that you can access the CRL as below? Open IE to directly access the url. 

    http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 

    RevocationInfo 
    
       [ freshnessTime]  P203DT22H39M34S 
      - RevocationResult The revocation function was unable to check revocation because the revocation server was offline. 
    
       [ value]  80092013 
     
      - CertificateRevocationList 
    
       [ location]  TvoCache 
       [ url]  http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 
       [ fileRef]  B2A57B544F9B889695FC28CFE5EEDAA85B4B6602.crl 
       [ issuerName]  Microsoft Root Certificate Authority 
     
    


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2017年6月13日 10:22
    版主
  • Yeah. I saw those too, but, I can access the CRL just fine. From what I can gather Applocker does not process digital signatures when they are SHA-256. I suspect this is related to MS13-095. The appropriate KBs are installed so I'm thinking this is a regression bug.
    2017年6月13日 15:15
  • When I run a SHA-1 EXE it hits the publisher rule just fine:

    - RuleAndFileData
    PolicyName EXE
    RuleId {F1F8ED5C-FF8E-4A31-B3AB-D1D836A58D9B}
    RuleName Signed by *
    RuleSddl D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({"*\*\*",0}))))
    TargetUser S-1-5-21-3269956768-690274577-696928134-1625
    TargetProcessId 5216
    FilePath %OSDRIVE%\TEMP\HAPINT64.EXE
    FileHash 2C0CE80410C41C03D533575A72965C07633A981C7671D26B55BF8F8FCCC02E1B
    Fqbn O=DELL INC., L=ROUND ROCK, S=TEXAS, C=US\DELL(R) HARDWARE ABSTRACTION\HAPINT.EXE\9.1.0.53

    2017年6月13日 15:20
  • This is what happens when I run Chrome.exe. Notice the RuleID and the Fqbn.

    RuleAndFileData

    PolicyName EXE
    RuleId {00000000-0000-0000-0000-000000000000}
    RuleName -
    RuleSddl -
    TargetUser S-1-5-21-3269956768-690274577-696928134-1625
    TargetProcessId 3956
    FilePath %OSDRIVE%\USERS\XXXUSERXXX\APPDATA\LOCAL\GOOGLE\CHROME SXS\APPLICATION\CHROME.EXE
    FileHash 95E5138AB6A9E247C077D1CD591176A420EC0500BACFC42F2DA0200A26B26E86
    Fqbn -
    2017年6月13日 15:41
  •                                                                    

    Here we can see that CAPI2 can process the certificate from Chrome.exe at least some of the times.

    - UserData 

      - CertGetCertificateChain 

      - Certificate 

       [ fileRef]  34F50F108259EF2DDB96CC5BC4663383DC91AF09.cer 
       [ subjectName]  www.google.com 

      - AdditionalStore 

      - Certificate 

       [ fileRef]  7359755C6DF9A0ABC3060BCE369564C8EC4542A3.cer 
       [ subjectName]  GeoTrust Global CA 

      - Certificate 

       [ fileRef]  A6120FC0B4664FAD0B3B6FFD5F7A33E561DDB87D.cer 
       [ subjectName]  Google Internet Authority G2 

      - Certificate 

       [ fileRef]  34F50F108259EF2DDB96CC5BC4663383DC91AF09.cer 
       [ subjectName]  www.google.com 


      - ExtendedKeyUsage 

       [ orMatch]  true 
      - Usage 

       [ oid]  1.3.6.1.5.5.7.3.1 
       [ name]  Server Authentication 

      - Usage 

       [ oid]  1.3.6.1.4.1.311.10.3.3 

      - Usage 

       [ oid]  2.16.840.1.113730.4.1 


      - Flags 

       [ value]  20000000 
       [ CERT_CHAIN_REVOCATION_CHECK_CHAIN]  true 

      - ChainEngineInfo 

       [ context]  user 

      - CertificateChain 

       [ chainRef]  {E166DF21-9496-4B97-9E72-6BA7558E05A8} 
      - TrustStatus 

      - ErrorStatus 

       [ value]  0 

      - InfoStatus 

       [ value]  100 
       [ CERT_TRUST_HAS_PREFERRED_ISSUER]  true 


      - ChainElement 

      - Certificate 

       [ fileRef]  34F50F108259EF2DDB96CC5BC4663383DC91AF09.cer 
       [ subjectName]  www.google.com 

      - SignatureAlgorithm 

       [ oid]  1.2.840.113549.1.1.11 
       [ hashName]  SHA256 
       [ publicKeyName]  RSA 

      - PublicKeyAlgorithm 

       [ oid]  1.2.840.113549.1.1.1 
       [ publicKeyName]  RSA 
       [ publicKeyLength]  2048 

      - TrustStatus 

      - ErrorStatus 

       [ value]  0 

      - InfoStatus 

       [ value]  102 
       [ CERT_TRUST_HAS_KEY_MATCH_ISSUER]  true 
       [ CERT_TRUST_HAS_PREFERRED_ISSUER]  true 


      - ApplicationUsage 

      - Usage 

       [ oid]  1.3.6.1.5.5.7.3.1 
       [ name]  Server Authentication 

      - Usage 

       [ oid]  1.3.6.1.5.5.7.3.2 
       [ name]  Client Authentication 


      - IssuanceUsage 

      - Usage 

       [ oid]  1.3.6.1.4.1.11129.2.5.1 

      - Usage 

       [ oid]  2.23.140.1.2.2 


      - RevocationInfo 

       [ freshnessTime]  PT14H47M10S 
      - RevocationResult 

       [ value]  0 

      - CertificateRevocationList 

       [ location]  TvoCache 
       [ url]  http://pki.google.com/GIAG2.crl 
       [ fileRef]  859E4D62704B57C601B19F1D2ABC5757511D4DB2.crl 
       [ issuerName]  Google Internet Authority G2 



      - ChainElement 

      - Certificate 

       [ fileRef]  A6120FC0B4664FAD0B3B6FFD5F7A33E561DDB87D.cer 
       [ subjectName]  Google Internet Authority G2 

      - SignatureAlgorithm 

       [ oid]  1.2.840.113549.1.1.11 
       [ hashName]  SHA256 
       [ publicKeyName]  RSA 

      - PublicKeyAlgorithm 

       [ oid]  1.2.840.113549.1.1.1 
       [ publicKeyName]  RSA 
       [ publicKeyLength]  2048 

      - TrustStatus 

      - ErrorStatus 

       [ value]  0 

      - InfoStatus 

       [ value]  102 
       [ CERT_TRUST_HAS_KEY_MATCH_ISSUER]  true 
       [ CERT_TRUST_HAS_PREFERRED_ISSUER]  true 


      - ApplicationUsage 

      - Usage 

       [ oid]  1.3.6.1.5.5.7.3.1 
       [ name]  Server Authentication 

      - Usage 

       [ oid]  1.3.6.1.5.5.7.3.2 
       [ name]  Client Authentication 


      - IssuanceUsage 

      - Usage 

       [ oid]  1.3.6.1.4.1.11129.2.5.1 

      - Usage 

       [ oid]  2.23.140.1.2.2 


      - RevocationInfo 

       [ freshnessTime]  P81DT5H14M51S 
      - RevocationResult 

       [ value]  0 

      - CertificateRevocationList 

       [ location]  TvoCache 
       [ url]  http://g.symcb.com/crls/gtglobal.crl 
       [ fileRef]  E3181A10723FD41E646FD385FA91D76A07C145E0.crl 
       [ issuerName]  GeoTrust Global CA 



      - ChainElement 

      - Certificate 

       [ fileRef]  DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.cer 
       [ subjectName]  GeoTrust Global CA 

      - SignatureAlgorithm 

       [ oid]  1.2.840.113549.1.1.5 
       [ hashName]  SHA1 
       [ publicKeyName]  RSA 

      - PublicKeyAlgorithm 

       [ oid]  1.2.840.113549.1.1.1 
       [ publicKeyName]  RSA 
       [ publicKeyLength]  2048 

      - TrustStatus 

      - ErrorStatus 

       [ value]  0 

      - InfoStatus 

       [ value]  10A 
       [ CERT_TRUST_HAS_KEY_MATCH_ISSUER]  true 
       [ CERT_TRUST_IS_SELF_SIGNED]  true 
       [ CERT_TRUST_HAS_PREFERRED_ISSUER]  true 


      - ApplicationUsage 

      - Usage 

       [ oid]  1.3.6.1.5.5.7.3.1 
       [ name]  Server Authentication 

      - Usage 

       [ oid]  1.3.6.1.5.5.7.3.2 
       [ name]  Client Authentication 

      - Usage 

       [ oid]  1.3.6.1.5.5.7.3.4 
       [ name]  Secure Email 

      - Usage 

       [ oid]  1.3.6.1.5.5.7.3.3 
       [ name]  Code Signing 

      - Usage 

       [ oid]  1.3.6.1.5.5.7.3.8 
       [ name]  Time Stamping 


      - IssuanceUsage 

       [ any]  true 

      - RevocationInfo 

      - RevocationResult 

       [ value]  0 




      - EventAuxInfo 

       [ ProcessName]  chrome.exe 

      - CorrelationAuxInfo 

       [ TaskId]  {90EF6F17-D5D0-42F5-8F73-6BF0454C332C} 
       [ SeqNumber]  13 

      - Result 

       [ value]  0 


    2017年6月13日 15:50
  • Here we can see that CAPI2 can verfiy revocation for Chrome.exe cert:

    - UserData 

      - CertVerifyRevocation 

      - Certificate 

       [ fileRef]  A6120FC0B4664FAD0B3B6FFD5F7A33E561DDB87D.cer 
       [ subjectName]  Google Internet Authority G2 
     
      - IssuerCertificate 

       [ fileRef]  DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.cer 
       [ subjectName]  GeoTrust Global CA 
     
      - Flags 

       [ value]  0 
     
      - AdditionalParameters 

       [ timeToUse]  2017-06-13T15:47:12.505Z 
       [ currentTime]  2017-06-13T15:47:12.505Z 
       [ urlRetrievalTimeout]  PT15S 
     
      - RevocationStatus 

       [ index]  0 
       [ error]  0 
       [ reason]  0 
       [ actualFreshnessTime]  P81DT5H14M51S 
     
      - CertificateRevocationList 

       [ location]  TvoCache 
       [ url]  http://g.symcb.com/crls/gtglobal.crl 
       [ fileRef]  E3181A10723FD41E646FD385FA91D76A07C145E0.crl 
       [ issuerName]  GeoTrust Global CA 
     
      - EventAuxInfo 

       [ ProcessName]  chrome.exe 
     
      - CorrelationAuxInfo 

       [ TaskId]  {90EF6F17-D5D0-42F5-8F73-6BF0454C332C} 
       [ SeqNumber]  11 
     
      - Result 

       [ value]  0 
     
     


    2017年6月13日 15:52
  • Actually, I think the timestamp revocation check is the problem:

    - UserData 

      - CertVerifyRevocation 

      - Certificate 

       [ fileRef]  625AEC3AE4EDA1D169C4EE909E85B3BBC61076D3.cer 
       [ subjectName]  Symantec SHA256 TimeStamping Signer - G2 
     
      - IssuerCertificate 

       [ fileRef]  6FC9EDB5E00AB64151C1CDFCAC74AD2C7B7E3BE4.cer 
       [ subjectName]  Symantec SHA256 TimeStamping CA 
     
      - Flags 

       [ value]  6 
       [ CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION]  true 
       [ CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG]  true 
     
      - AdditionalParameters 

       [ timeToUse]  2017-06-03T10:13:50Z 
       [ currentTime]  2017-06-13T15:47:08.906Z 
       [ urlRetrievalTimeout]  PT19.996S 
     
      - RevocationStatus 

       [ index]  0 
       [ error]  80092013 
       [ reason]  0 
     
      - EventAuxInfo 

       [ ProcessName]  svchost.exe 
     
      - CorrelationAuxInfo 

       [ TaskId]  {B4C02524-7EB4-46CC-9645-832AE20FFDA8} 
       [ SeqNumber]  14 
     
      - Result The revocation function was unable to check revocation because the revocation server was offline. 

       [ value]  80092013 
     
     

    2017年6月13日 15:56
  • We had a McAfee exe signed with SHA1 and SHA256 certificates that had slightly different names (one in CALIFORNIA and one in OREGON)  We set up a rule for each and tested each in turn.  I can remember that only the SHA1 rule worked, the SHA256 rule was ignored.
    2018年7月13日 7:16