Safe Web Sites, Web Applications and Updates, and Defense+

[Guest]

[mug]

I think this post will be just a recommendation as well as a request for information about installing web application updates from safe sites.

We have a web app that updates automatically after logging in.  Because they are run straight from the site and are not saved to the computer first, CIS sandboxes them and they do not install properly.  Does anyone have any ideas about keeping D+ and sandboxing on, but effectively allowing updates from web applications?

I would dread the idea of disabling D+ or the sandbox on machines that use this web application.  It is the most effective piece of AntiMalware that we can put on our systems.   This will also roll over to the systems that we manage from the Endpoint Security Manager.  I don't want to get a CESM Request every time an employee logs on to the web application and there is an update and/or explain that the update was sandboxed, we ok'd it, and they must reopen the browser and log back on to get the update.

Any suggestions would be welcome.

Thanks.
mug

[HeffeD]

Does the web application always have the same name? If so, you could go to Defense+ -> Computer Security Policy and add the application, then assign it the Installer or Updater policy.

[Chiron]

Is the web application digitally signed? If so that would make it really easy, just add the signature to the TVL.

Also, I've never tried this, but is it possible to assign a wildcard to the Trusted Files List? If so then it would be possible to make the folder these are downloaded in, and therefore any files in it, trusted. Not sure if that's practicable, or even possible. Perhaps the same could be said for making it an installer or updater.

[mug]

Does the web application always have the same name? If so, you could go to Defense+ -> Computer Security Policy and add the application, then assign it the Installer or Updater policy.

Ok.  Here is what I did, but still not sure if it will work (need to test the config):  Using your advice, I did add the exe to the Computer Security Policy, however the app is a one-click install (see the ClickOnce info below).  When an 'update' occurs with a One Click .NET app, the entire application is reinstalled in the AppData folder named with an arbitrary GUID that changes at each update.  Therefore, there is no ONE single application file and path that can be added to the policy to allow it passed Defense+.

Here is what I am contemplating now... With all the above said, it seems that the only thing I can thing of is allowing the entire install path folder through D+.   I have not tried to see if there is a way to add a user folder path in D+.   This is not best practice, however it is better than turning off D+.

Actual path:
C:\Users\Mug.anthony\AppData\Local\Apps\2.0\*

TWO QUESTIONS:

1.  Is the * dynamic?  Meaning; If I add the above path with the *wildcard, will every application or file I install in that path FROM NOW ON, be in the Computer Security Policy?    The reason I ask is that when I add this path in the Trusted Files of the standalone CIS and click Apply, it actually adds all CURRENT files from that directory... NOT anything that I add after I apply that security policy.    

2.  I added this path as an Installer/Updater (and might change it to a custom policy):
%APPDATA%\Local\Apps\2.0\*
This was allowed on the CESM Console, but again, unsure if it allows everything added to the .\2.0\ folder from now on.

I will reply after testing.

Chiron, Nope.  This app is not signed. This particular app wasn't developed in-house here.  We have developed a few .Net apps and because of this issue, we are probably going to digitally sign them all from now on.   That would make it easy, though.  I guess there is hope for the future.

I am going to add a request to the Comodo - Wishlist... to integrate into IE Trusted Sites or simply a setting that would allow allow apps to run if running from particular websites.

ClickOnce web-based deployment info:
http://msdn.microsoft.com/en-us/library/bb756885.aspx

Thanks.
mug

[Dennis2]

I do not think you can use Folders in Defense+ Computer security policy.

You can create a group in file groups and then use that group in Computer security policy and Network security policy.

Anything you create with C:\Users\Mug.anthony\AppData\Local\Apps\2.0\*

will have all rights to anything in that folder.

Dennis

[mug]

I do not think you can use Folders in Defense+ Computer security policy.

You can create a group in file groups and then use that group in Computer security policy and Network security policy.

Anything you create with C:\Users\Mug.anthony\AppData\Local\Apps\2.0\*

will have all rights to anything in that folder.

Dennis

It was a bit tricky in Computer Sec Policy... It won't let you add a folder, however, you can click Browse, add any file, then it allows you to edit the path, which I then changed it to %APPDATA%\Local\Apps\2.0\*     and apply the Installer and Updater policy to it.   

Would you be able to confirm that anything I put in that folder IN THE FUTURE will be safe also?  OR just anything that is in that folder at the time the policy is applied.

Thanks.
mug

[Dennis2]

Anything now or you place in that folder in the future will be treated with the same rules.

There is always a risk with using wildcards with folders that anything placed in that folder will have all the permissions you have given.

Dennis

[Tags:]