search

jymcheong / OpenEDRclient

Open Endpoint Defense & Response
Other
0 stars 1 forks source link

Not handling ADS for downloaded EXE/DLL #4

Closed jymcheong closed 3 years ago

jymcheong commented 3 years ago

DFPM will stopped after trying to set ACL to a fullpath that contains :SmartScreen or :zone.identifier (Alternate Data Stream).

jymcheong commented 3 years ago

Fixes:

  1. removed :... ADS string
  2. tested file existence before adding deny-ACL

Test-cases:

  1. Download EXE/DLL/MSI from internet with browser; denied execution
  2. Copy-paste EXE already existing on machine; denied execution

Note that Win10 SmartScreen will make it difficult for user to run downloaded executables at least twice.