2 Replies Latest reply on May 9, 2017 7:50 PM by Fordo

    How can I allow something on USB drive to run regardless of drive letter?

    Fordo Apprentice

      Scenario: you need to make a secure USB installer/runtime Allowed, regardless of drive letter, but you don't want to add hashes to your config without enabling EnableSignatureOptimization.

       

      Background: when you set EnableSignatureOptimization to 1 AM only compares the hash of an executed item to your config's hash(es) if that item's path matches the path of a hash in your config. If you don't enable this setting then AM will compare the hash of everything it launches to whatever hashes you've added as Allowed items if there's no other rule making them allowed (e.g. the default rule - Trusted Ownership).

       

      Issue: the AM console doesn't allow you to modify the path of an added hash to change it from e:\something.exe to ?:\something.exe (where ? = a single character wildcard)

        • 1. Re: How can I allow something on USB drive to run regardless of drive letter?
          Fordo Apprentice

          Workaround: the script below will prompt you to pick a file (e.g. x:\some-secure-USB-installer.exe) then will prompt you for whatever path you want to use (which could start with ?:\   - where ? means any character i.e. any drive letter). The script will generate a temporary config, allowing you to select the new signature item from the Everyone->Allowed area, copy it, and paste it into your production config. The net result is you can make a file Allowed regardless of the drive letter assigned to your USB drive, based on hash but without causing AM to need to compare every otherwise-blocked item (including desktop.ini and other false positives) against your hash(es).

           

           

          Note that you might also want a process rule granting Unrestricted status to the thing you're making Allowed - maybe - it all depends on how the thing you're unblocking behaves.

           

           

          Script:

           

          Function Get-InputFileName()

          {

              [System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") | Out-Null

             

              $OpenFileDialog
          = New-Object
          System.Windows.Forms.OpenFileDialog

              $OpenFileDialog.filter = "All (*.*)| *.*"

              $OpenFileDialog.ShowDialog() |
          Out-Null

              $OpenFileDialog.filename

          }

           

           

          #------------------------------------

           

          # For dialogs

          [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') |
          Out-Null

           

          # for doing API stuff

          $confHelper = new-object -comobject 'AM.ConfigurationHelper.1'

          $conf = new-object -comobject
          'AM.Configuration.3'

           

          # load the default configuration

          $confXml = $confHelper.DefaultConfiguration

          $conf.ParseXML($confXml)

           

          # prompt for input file

          $inputFile = Get-InputFileName

           

          # Get the file path to use

          $filePath = [Microsoft.VisualBasic.Interaction]::InputBox("Provide
          a file path to use e.g. ?:\secureUSBinstaller.exe"
          , "File path for
          rule"
          , "")

           

          # Create hash rule

          $as = $conf.ManufactureInstanceFromClassName('AM.SignatureFile')

          $as.SHA1Hash
          = $confHelper.ReadSha1HashFromFile($inputFile)

          $as.CommandLine
          = $as.SHA1Hash

          $as.Path
          = $filePath

           

          # add it as an Allowed item for Everyone

          $conf.GroupRules.Item('Everyone').AccessibleSignatures.Add($as.XML())

           

          $tempAampFile = [System.IO.Path]::GetTempFileName()
          + ".aamp"

           

          $confHelper.SaveLocalConfiguration($tempAampFile,
          $conf.XML())

           

          &$tempAampFile

          • 2. Re: How can I allow something on USB drive to run regardless of drive letter?
            Fordo Apprentice
            you might also want a process rule granting Unrestricted status to the thing you're making Allowed

             

            That process will need to be based on a file-path-based process; creating one based on signature (hash) and setting its status to Unrestricted has no effect - or at least has no effect in making sub-processes or DLLs on the USB drive Allowed.