AppLocker Blocking Signed App

asked 2020-09-29T17:08:33.173+00:00
Brian Benavidez 201 Reputation points

I have a packaged app rule that allows all signed packaged apps and is in auditonly mode. When the application is launched I get Event ID 8021 (indicating the app would have been blocked if in enforcement mode) with the following details:
PolicyName: APPX
RuleId: {00000000-0000-0000-0000-000000000000}
RuleName: -

Normally, when an application or executable is blocked, these fields are populated. I am guessing the all 0 RuleId means the application in question was blocked because of a lack of rule (not whitelisted). So I created a rule to explicitly allow the application in question and I get the same result.

Furthermore, the event says "was allowed to run but would have been prevented from running if the AppLocker policy were enforced." which is odd because normally this event is formatted as "<App Name> was allowed to run but..." where the app name is included. In my case there's just nothing there.

OS: Windows 10 Enterprise
Build: 19041.508

Thoughts?

UPDATE 1: I reinstalled Windows and the problem went away (the app was no longer being blocked and its name was included in the AppLocker events). It was working fine until I connected to the internet and then the exact same problem came back. The app in question is a custom one (it's signed) so I wonder if this is somehow related to Microsoft's reputation based protections. I tried turning reputation based protections off in Windows Defender as an experiment and it didn't make a difference.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,132 questions
No comments
{count} votes

Accepted answer
  1. answered 2020-09-30T20:18:24.953+00:00
    Brian Benavidez 201 Reputation points

    It turns out the intermediate and root CA were missing from the system's certificate stores. I used the solution from this SO post to check the certificate chain: https://stackoverflow.com/questions/28101140/get-chain-of-certificates-for-a-file-with-powershell. The last certificate listed in the list of certs must be included in the Trusted Root Certification Authorities store.

    After including the necessary certificates, the AppLocker cache needs to be deleted (C:\Windows\System32\AppLocker\AppCache.dat) after which previously blocked apps who use those certs should run without issue.

    It's interesting that the AppLocker logs omit the name of the application when the root CA of the signed package can't be found. It would be useful to include the name of the application and even go so far as include the reason the AppLocker rule failed e.g. <app name> was prevented from running. Signature was not trusted". It would also be useful if Test-AppLockerPolicy identified these issues since, in my case, it claimed the application was "Allowed".

    No comments

2 additional answers

Sort by: Most helpful
  1. answered 2020-09-30T09:27:11.243+00:00
    Jenny Yan-MSFT 9,196 Reputation points

    Hi,
    What kind of certificates SHA1 or SHA256 used for the digital signature?

    In below similar thread, User LU shared his findings on the different certificates used when applying AppLocker rules.
    https://social.technet.microsoft.com/Forums/en-US/2f8d3651-127a-466d-86a3-9911ce542285/windows-7-enterprise-applocker-publishing-rules-not-working?forum=w7itprosecurity

    Moreover, you could run follow commands to test test AppLocker policies against the packaged apps.
    Get-AppLockerPolicy –Effective –XML > C:\path\some.xml
    Get-AppxPackage -AllUsers | Test-AppLockerPolicy -XmlPolicy C:\path\some.xml
    https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy

    https://learn.microsoft.com/en-us/powershell/module/applocker/get-applockerpolicy?view=win10-ps

    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny

    No comments

  2. answered 2020-09-30T15:42:00.19+00:00
    Brian Benavidez 201 Reputation points

    Thanks for your response, Jenny. The signature on the p7x file is SHA256. I see that the post you referred to mentioned there could be problems with SHA256 but several other Microsoft apps are using the same. They went on to discuss that the certificate chain might be broken but Get-AuthenticodeSignature returns Valid. Does 'Valid' imply the chain is trusted or simply that the signature was not tampered with? The Signature class just says it returns the cert's "Status". I'd like to test it with whatever mechanism AppLocker is using to validate signatures.

    Do you know if the signature checks are logged? I don't see anything under the CAPI2 logs.

    Test-AppLockerPolicy against the effective AppLocker policy returns "Allowed (Default Rule) All signed packaged apps" for every app including the blocked app.

    No comments