Re: webex.exe blocked by AppLocker

user20190422 · ‎04-22-2019

We enforce AppLocker policy in our organization. I have whitelisted webex.exe with a publisher rule, but it is still getting blocked. This is what Get-AppLockerFileInformation returns for a recent file:

Publisher : O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US\CISCO WEBEX MEETING\CISCOWEBEXSTART.EXE,10039.3.2019.328

So, the PowerShell cmdlet reads it accurately, and I am able to create the whitelist rule. But for whatever reason it is not respected whenever webex.exe is run. This is the only executable I have had this problem with. I believe it might be related to the type of digital signature that is being used, like what is described in the Technet post linked below. When I look at the signatures of other exe's that are whitelisted successfully, I see either a SHA1 certificate only, or a SHA256 in addition to SHA1. Webex.exe has a SHA256 cert only. That seems like the closest possibility I've come across so far anyway. Anybody else run into this issue?

https://social.technet.microsoft.com/Forums/windows/en-US/2f8d3651-127a-466d-86a3-9911ce542285/windows-7-enterprise-applocker-publishing-rules-not-working?forum=w7itprosecurity

user20190422 · ‎04-25-2019

It seems that the issue I described is specific to using Internet Explorer and Edge browsers when joining a meeting. Currently we push IE as default and don't install 3rd party browsers. If we decided to move to Chrome it would solve the problem as it can run a meeting without tripping AppLocker. Or, we could install the webexapp.msi which takes control away from IE when joining a meeting. But we also gain a new app that requires patch maintenance. Obviously, I could create a path rule to allow webex.exe as it is. But that would poke a pretty big hole.

I'm not sure if something has changed because we only recently started having the issue and Webex has always been whitelisted with a publisher rule. But, there are at least some options to workaround it.

sam.guha · ‎03-24-2020

Webex requires applocker exception as under:

Either publisher rule as under: This will cover upgrades and all exe that runs from user profile.

O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA

OR

Path rule:

"%userprofile%\AppData\Local\WebEx\NativeMessagingHosts\ciscowebexstart.exe"

"%userprofile%\AppData\Local\WebEx\WebEx\Meetings\ATMGR.exe"

"%userprofile%\AppData\Local\WebEx\WebEx\Meetings\ WBXREPORT.EXE "

All the above will work when the default allow rule already exists for %PROGRAM FILES% and %WINDOWS%.

user20190422 · ‎03-25-2020

Thanks Sam, but the Publisher rule is still not working for me. Similar to my first post but now, although the file properties show a signature for ciscowebexstart.exe - AppLocker can't read it whatsoever. See screenshot. Default rules are in place as well, but that has nothing to do with it because it's not running in that space. We make very few exceptions for Path rules and this is not going to be one of them. In my opinion Cisco needs to look into the certificate issue and get it working correctly with AppLocker.

sam.guha · ‎03-25-2020

Hi there,
I am new to webex but I am providing the following pointer:

1. The site server version should be same as client version.
2. I am using Desktop app version 40.x msi and don't have any issues.
3. Check for exceptions required on the proxy/firewall.
4. On a test workstation try to run webex removable tool and install the desktop application again: https://help.webex.com/en-us/WBX000026378/Meeting-Services-Removal-Tool
5. Log a support call with webex though the answer from webex support to my call was "I think webex doesn't require any applocker requirements you just need to install it as normal exe file and it's should work the desktop app and productivity tool."
6. To keep management low, I typically allow the publisher to run anything so I don't usually specify a product name or file name.

1. [cid:image001.png@01D60347.1EBD1D80]

Hope this helps.

user20190422 · ‎03-30-2020

I am not trying to fix something on my end. I maintain that THIS IS A CISCO ISSUE. I will try to explain our situation more specifically.

We only have a small amount of users that use Webex so we do not deploy it to all workstations. Instead, we prefer to let it run on as needed basis, temporary application in AppData.
When a user receives an email about joining a meeting they click the link, it opens their web browser and downloads webex to %LOCALAPPDATA%\WebEx.
Ciscowebexstart.exe gets blocked by AppLocker because it’s digital signature IS NOT COMPATIBLE with AppLocker, not because it’s lacking the appropriate whitelist rule.
So, the user has to click the “join meeting in browser” option instead. But they don’t always know or remember that part and end up calling the Help Desk.

So, we have a workaround and are not in need of an immediate fix. But, something changed close to a year ago when I started this post because it used to work fine. Regarding the response to your support call. They must be assuming an administrative install that goes in Program Files. But we don’t do that, see number 1. All other suggestions are invalid. Sam, how about you try the same PS command that I did. It definitively illustrates that “ciscowebexstart.exe” CANNOT BE WHITELISTED WITH A PUBLISHER RULE because as far as AppLocker is concerned it has no certificate.

I will do it again, this time comparing with “webex.exe” that also resides in that directory. See how AppLocker can read it’s Publisher information, but for “ciscowebexstart.exe” it cannot?

Chad.S.Hohman · ‎02-01-2021

I got this working, here is what I did.

Right click on the webex.exe and select properties
Select digital signatures tab
Click on name of the signer and click details tab
Click on view certificate and then install certificate
Select local machine, click next, select place all certificates in the following store
Browse and select Trusted Root Certification Authorities
Next and Finish

Now it should not give that error while you select webex.exe for a publisher rule