I've a GPO setup to try and prevent Cryptolocker from infecting systems in our environment. The below software restrictions are in place:
%AppData%\*.exe %AppData%\*\*.exe %LocalAppData%\Temp\*.zip\*.exe %LocalAppData%\Temp\7z*\*.exe %LocalAppData%\Temp\Rar*\*.exe %LocalAppData%\Temp\wz*\*.exe %UserProfile%\Local Settings\Temp\*.7z\*.exe %UserProfile%\Local Settings\Temp\*.rar\*.exe %UserProfile%\Local Settings\Temp\*.wz\*.exe %UserProfile%\Local Settings\Temp\*.zip\*.exe
When trying to install Firefox I get the below error:
Access to C:\Users\jdoe\AppData\Local\Temp\7zSA1FB.tmp\setup-stub.exe
has been restricted by your Administrator by location with policy rule
{0cbe13527-3132-4e4c-5df1-c48de858c993} placed on path
C:\Users\jdoe\AppData\Local\Temp\7z*\*.exe.
I've added the below rule to the GPO and set to unrestricted but it does not work:
%LocalAppData%\Temp\7z*.tmp\setup-stub.exe
Can somebody please tell me what I'm doing wrong? I can't use the exact folder name (7zS189F.tmp in this case) as every time it installs the folder name is slightly different so I need to be able to use the wildcard.
Thanks in advance for your assistance.
Best Answer
With SRP the more conservative rule takes precedence. That is, disallow takes precedence over allow.
Your allow rule
%LocalAppData%\Temp\7z*.tmp\setup-stub.exeis functionally equivalent to your disallow rule of%LocalAppData%\Temp\7z*\*.exe. Two Path Rules, containing wildcards as you've used, are treated as the same in precedence evaluation.From How Software Restriction Policies Work:
Your conflicting rules match the second example and are considered of equivalent precedence. Because of this the disallow rule "wins".