Hi guys, I’ve been assigned a case to block portable apps on a Windows desktop using EPM-W. What is the best way to target any portable apps on Windows? I have a portable application (FreeCommanderPortable.exe - this is just for testing, real-world apps can be anything) with the following criteria:
It has a valid digital signature
The .exe file can be originated from USB stick, internet download, or file sharing
The .exe file can be moved to another folder/drive
It doesn’t trigger UAC when run
The file name can be changed to anything
I tried creating an application group rule that targets any application ("*"), but there were many false positives, as some legitimate applications sometimes depend on each other.
The best configuration I can think of is to target if the publisher or the app name contains the string 'portable'. But not all portable applications have this string (e.g., if renamed).
Has anyone faced a similar scenario?
Page 1 / 1
Typically, those types of applications don’t require elevation unless they are attempted to perform a restricted action that would prompt the UAC window.
One way to do this would be leveraging Drive criteria. This would at least cover your removable media.
By the definition of portable app, it’s also called a standalone software - which means it is designed to operate without changing other files. Elevation activity is most likely rare.
Creating a rule based on Drive type will only target the ones running on non-Fixed disk, but it will not be able to cover the ones copied to Fixed Disk to execute.
The only method I can think of, that can fully address this is a full fledged Allow List - where only approved software can run - all others will be halted/blocked.
When applying a block, try to avoid multiple criteria as it makes the block easier to defeat. All criteria must be met for it to be blocked, so renaming, running from a deferent location or re-signing could be used by a user who understands how the block is applied.
Sounds like you want to block any unknown .exes. This is default behaviour for the Quick Start Low Flexibility workstyle as files copied to an external drive or those copied to the endpoint will be owned (NTFS ownership) by the user and therefore fall into through to the “(Default) Any Application” rule:
The user will be shown a message that requires external authorization.
If the user has the High Flexibility workstyle, then these untrusted applications will be allowed to run as the “(Default) Any Application” is applied differently in here:
Note there is no message set, so the process is allowed to run.
How does the untrusted app end up in the “(Default) Any Application” rule?
It is simply because no other rule above matched it.
Trusted exes are matched in “Passive - Allowed Functions & Apps”
It is because of this criterion:
Note that “Any Trusted Executable” includes other criterion:
Does not match: (powershell_ise.exe)|(powershell.exe)|(cmd.exe)|(wscript.exe)|(cscript.exe)|(mshta.exe)
Drive: is Fixed Disk
Trusted Ownership: is a Trusted Owner
So even files on an external drive that are trusted should not match the rule and drop through to “(Default) Any Application”.
Back to the original question of how to block portable apps. All exes are the same essentially, regardless of how they were deployed and EPM can’t differentiate between an exe that was deployed by an installer or a self contained one. It can stop the execution of exes from untrusted sources which should cover your use-case.
You can, of course, add exceptions by adding the exe to “Passive - Allowed Functions & Apps”. Here, unlike for blocking, it is a good idea to use multiple criteria in order to make it harder to allow execution. E.g. Filename + Product name.
Thank you for the insights.
A little background story, most users in my client environment treat the company computers like personal ones. They do download games, music, videos, torrents, editing photos, etc, while working.
Since new software installation is blocked, they always find ways to do what they want, like downloading with some sort of portable torrent clients, portable download managers, portable 7zip, portable photoshop, etc, as these applications don't need to be installed.
So, I'm trying to limit what can be run, including portable apps.
I think I will recommend my client to use low flexibility workstyle combined with a whitelist approach. Because ideally, the number of allowed applications should be far fewer than the unknown ones, regardless of whether they are portable apps or any other executable.
In a situation like this, I think a regular scan for executables in the users folders, and a written policy on resource misuse with clear expectations and disciplinary procedures might be a better deterrent. They are as responsible for the businesses security as you are.
I have seen requests like this in the past, and normally what we recommend in support is to try and create a rule where you lock down where applications can be run from. So, for example, most portable apps will be running from downloads or the desktop or some other user profile location.
The false positives you mention are probably running from somewhere like C:\Program Files and users cant put stuff in there without elevating anyway.
You could have a block rule or a rule with a challenge response message box for anything running from user profile locations, e.g. C:\Users\*
Hey @raymondus , In order to block the action of copying the files from a removable drives or portables drive , there is no such rule or anything you can specifically create there are many locations where user can copy any file from removable drive and execute it.
So , in order to block copy actions , its beneficial to implement a DLP solution for such actions in such a manner coping and executing file over removable drive will be blocked by security policies.
Reply
Badge Earners
Bruceyhas earned the badge BCIE: Privileged Remote Access