WDAC blocking executables in %userprofile%\Downloads folder

Paul Creedy 21 Reputation points

We have started to implement Intune/MDM within the company and I'm now looking into WDAC configuration profiles and have hit a couple of snags.

I've built a policy using the WDAC wizard (not powershell), taking the built in Windows AllowMicrosoft policy and adding a supplementary policy for additional rules.

This basic policy is blocking the execution of files that are not signed by Microsoft, except an issue with one particular file that still executes successfully. It's a test file provided for Cyber Essentials plus auditing. For some reason the WDAC policy is not blocking this particular .exe file despite not having a digital signature, and certainly not containing a Microsoft digital signature.

For reference the test file is CEPlusWin.exe from IASME

The first question is therefore why is this file executing successfully in the downloads folder when the AllowMicrosoft policy should be preventing it's execution? Other exe files are being prevented from executing.

The second question, related to the first is if this particular file cannot be blocked then how do I block executables in the whole Downloads folder?

I have tried using a custom Deny rule with the WDAC wizard using this path: %userprofile%\Downloads\ or variations of it but the wizard gives this error:

"Invalid path rule. Only one wildcard (*) is allowed per path rule. Wildcards can only be located at the beginning or end of a path rule."

Is it a case of I don't have the rule path correct perhaps?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,837 questions
Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
914 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Paul Creedy 21 Reputation points

    The test file that is executing which is a version of calc.exe with the MS digital signature stripped appears to be actually launching the built in calc.exe

    So unless I'm mistaken the calc.exe (fake) in my downloads folder when executed launches the built in calc.exe The indication this is happening appears to be in the version numbers of the two different .exe's. It appears to be lunching from the downloads folder but it's actually launching the built in one, or appears to be at least. I've heard 'living of the land' techniques mentioned but I'm unfamiliar with that?

    The second problem of how to use WDAC to block .exe's in the downloads folder completely is still also an issue.

    Could anyone confirm whether blocking exe's in a folder is actually accomplishable with WDAC or would some other method be required?

    I'm currently using Software Restriction Policies via Group policy but I'd rather abandon Group Policies in favour of something more current like WDAC.

    0 comments No comments