Remember Microsoft has features to bypass its own Software Restriction Policies and AppLocker: Circumventing SRP and AppLocker, By Design and Circumventing SRP and AppLocker to Create a New Process, By Design.
Microsoft has issued a hotfix for this bypass: KB2532445
It is only for Windows 7 and Windows Server 2008 R2 though, it will not help you if you use SRP on Windows XP or Vista.
Thanks to @mount_knowledge.
Cool. Have you looked at the hotfix to see what the changed behaviour is?
Comment by olleB — Friday 18 November 2011 @ 13:57
@olleB I’ve tested my PoCs with a beta version of the hotfix, their actions were blocked by SRP/AppLocker.
Comment by Didier Stevens — Friday 18 November 2011 @ 17:35
Didier,
Do you know if microsoft solved this issue in Windows 8?
Kind Regards
DFT
Comment by DFT — Wednesday 31 October 2012 @ 11:40
@DFT I don’t think Microsoft considers this an issue, and that it was not included in Windows 8.
Comment by Didier Stevens — Wednesday 31 October 2012 @ 19:57
[…] here: Microsoft Article ID: 2532445 Credit to security researcher Didier Stevens for his blogs on this subject.Remember the key idea behind Software Restriction Policy: your non-Administrator accounts (or […]
Pingback by How to Block Installation Software Using GPO – Tech News — Monday 25 July 2016 @ 5:13