Hi Everyone,
I've been playing with this for the past two weeks and have a good grip on the way it differs from AppLocker. I have come across an issue during testing with Connectwise Control when an on-demand support session is created and a PC with WDAC implemented, the support exe file is allowed to run because of the exceptions I've implemented and the file is officially signed by Connectwise, but half way through the execution process it fails.
Looking through the event logs I see:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe) attempted to load \Device\HarddiskVolume3\Users<user>\AppData\Local\Temp\Deployment\72TG2L8V.2QY\JRAY8RDK.535\ScreenConnect.Client.dll that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{23251f30-d915-4ec2-b436-9c5aefa1e1ea}).
This happens for 2 DLLs and no matter what I do to exclude the following files:
screenconnect.client.dll
screenconnect.windows.dll
They are never allowed to run because none of these DLL files are signed. I've tried file hash and path exceptions, and still the problem persists. How can I work around this? How can you get these files that are unsigned to run given the exceptions?
These are the file path rules I have applied that don't work.
Filepath: *\screenconnect.client.dll
Filepath: *\screenconnect.windows.dll
I am using WDAC Polcicy Wizard to create my policies which works brilliantly and have tried the more restrictive "Allow Microsoft Mode", than the less restrictive "Signed and Reputable Mode" and in both instances the results are the same.
The hash file is empty because there is no file signature, or at least that's my understanding. I've even tried a File Attributes exclusion but that delivered the sames results.
Thanks in advance