Re: AppLocker blocked WebEx.exe although exception

virenschutz · ‎05-22-2019

Hello

WebEx-Team, for a few days AppLocker blocked Webex.exe although an exception has been set up.

Windows does not recognize a publisher of the Webex.exe file. The digital signature SHA256 has been updated.

AppLocker can not cope with this yet.

Please change this to old SHA so that we can continue to use webex in the organization.

GPO Rule: O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US

Now: Publisher is missing:

Current Issue:

TimeCreated : 22.05.2019 13:00:57
UserName : Org.\User
PolicyName : EXE
FilePath : %OSDRIVE%\USERS\User\DOWNLOADS\WEBEX.EXE
Publisher : -
FileHash : 3964C9A1424D9DB7F4E2EDAB623716E05F7AC4F176CEA1A77C26395EF8C0DA81

mkutilek · ‎08-30-2019

We had the same behavior in AppLocker (publisher not visible).

The intermediate certificate was in the certificate store but not the root one.

We performed an update via certutil and everything is back to normal

Download http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab and extract authroot.stl
Download http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab and extract disallowedcert.stl

Check the files, they shall be signed by Microsoft

As admin, execute the following 2 commands

certutil -addstore -f root authroot.stl
certutil -addstore -f disallowed disallowedcert.stl

As mentioned above, this is surely linked to the switch from Symantec to DigiCert

will.schroeder · ‎08-30-2019

FYI, I used a GPO to deploy it to all the computers.

will.schroeder · ‎08-28-2019

I have the same issue you do but I don't think it's SHA1 vs SHA256. I have plenty of exes that I added publisher certs that were SHA256 and still worked. WebEx is the only one I've seen, to date, that I can't seem to get anything cert related added that works. I've been using App Locker for years too.

If I find a resolution, I'll post it.

will.schroeder · ‎08-29-2019

I'm finding the same issue you are, but *only* with WebEx. The Get-AppLockerFileInformation is reporting no publisher info on the machines having trouble. On machines without AppLocker activated I'm able to get the info and test-applocker... works fine including Test-Applocker. On my test machine I stopped the Application Identity service waited 30 or so seconds, started it again (I may have done this 2x). Then it started seeing the publisher again. I rebooted the machine after, and it continued to work.

Users reporting the issue have rebooted their computers, so I'm not sure a simple restart of the computer is sufficient nor am I completely certain why the service restarts seem to have fixed this test machine, at least temporarily.

will.schroeder · ‎08-29-2019

Resolution Found

The intermediate cert authority cert wasn't on my machines, root was though. I'm not sure how but it ended up on my test machine at one point (maybe I tested running webex as admin and that auto-installed it). What made me check it was this thread:

https://social.technet.microsoft.com/Forums/en-US/1468bd38-6d71-4fdd-a1d5-fc8cbf8ac156/applocker-wont-detect-publisher-of-an-exe-on-random-computers

Strangely after adding the intermediate cert to Intermediate Certificate Authorities the get-applockerfileinformation showed the publisher and a test-applockerpolicy now showed it should be allowed, but the previously downloaded temp webex app was still blocked. Subsequent fresh downloads were good though.

Note: I saw an install that's been on one of my machines for a long while and it had a Symantec cert chain instead of a DigiCert (fresh temp apps downloaded). I'm guessing the problem occurred when they switched.

Jonathan Schulenberg · ‎05-27-2019

That isn’t going to happen. SHA1 has been widely discredited at this point.