WDAC blocking executables in %userprofile%\Downloads folder

Question

WDAC blocking executables in %userprofile%\Downloads folder

Anonymous

We have started to implement Intune/MDM within the company and I'm now looking into WDAC configuration profiles and have hit a couple of snags.

I've built a policy using the WDAC wizard (not powershell), taking the built in Windows AllowMicrosoft policy and adding a supplementary policy for additional rules.

This basic policy is blocking the execution of files that are not signed by Microsoft, except an issue with one particular file that still executes successfully. It's a test file provided for Cyber Essentials plus auditing. For some reason the WDAC policy is not blocking this particular .exe file despite not having a digital signature, and certainly not containing a Microsoft digital signature.

For reference the test file is CEPlusWin.exe from IASME

The first question is therefore why is this file executing successfully in the downloads folder when the AllowMicrosoft policy should be preventing it's execution? Other exe files are being prevented from executing.

The second question, related to the first is if this particular file cannot be blocked then how do I block executables in the whole Downloads folder?

I have tried using a custom Deny rule with the WDAC wizard using this path: %userprofile%\Downloads\ or variations of it but the wizard gives this error:

"Invalid path rule. Only one wildcard (*) is allowed per path rule. Wildcards can only be located at the beginning or end of a path rule."

Is it a case of I don't have the rule path correct perhaps?

Crystal-MSFT 54,206 Reputation points Microsoft External Staff

2021-09-30T03:18:49.737+00:00

@Anonymous , From your description, I notice the issue is related with WDAC policy rule.
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create

We will add the tag with "windows-10-security" to see fi we can find the support. As another method, we can open case by calling the Phone support number in the following link to get help:
https://support.microsoft.com/en-us/topic/global-customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2

Thanks for the understanding.

1 answer

Your answer

Crystal-MSFT 54,206 Reputation points Microsoft External Staff

2021-09-30T03:18:49.737+00:00

@Anonymous , From your description, I notice the issue is related with WDAC policy rule.
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create

We will add the tag with "windows-10-security" to see fi we can find the support. As another method, we can open case by calling the Phone support number in the following link to get help:
https://support.microsoft.com/en-us/topic/global-customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2

Thanks for the understanding.

Answer 1

Update.
The test file that is executing which is a version of calc.exe with the MS digital signature stripped appears to be actually launching the built in calc.exe

So unless I'm mistaken the calc.exe (fake) in my downloads folder when executed launches the built in calc.exe The indication this is happening appears to be in the version numbers of the two different .exe's. It appears to be lunching from the downloads folder but it's actually launching the built in one, or appears to be at least. I've heard 'living of the land' techniques mentioned but I'm unfamiliar with that?

The second problem of how to use WDAC to block .exe's in the downloads folder completely is still also an issue.

Could anyone confirm whether blocking exe's in a folder is actually accomplishable with WDAC or would some other method be required?

I'm currently using Software Restriction Policies via Group policy but I'd rather abandon Group Policies in favour of something more current like WDAC.

Share via

WDAC blocking executables in %userprofile%\Downloads folder

1 answer

Your answer