By SuperG - Last updated: Monday, June 18, 2012 - Save & Share - Leave a Comment

This was posted to

AppLocker not behaving as expect when file has Alternate Data Streams and rule is not applied to everyone.

I have a publisher rule setup for MS Office 2010 as in the picture

When this is set to Allow for Everyone Office works as expected.
However if I set the rule to Allow for Domain Users I have an issue.

I’ll use an Excel document as an example.
If the file I am using has Alternate Data Streams attached with ZoneID=3 then I get this error

And inside the Event Viewer I see

If I remove the Data Stream or set it to ZoneID=0 then the application works fine. The application also works if the Everyone groups is given allow on the AppLocker rule.

So the question is: What is happening between AppLocker and Office when it comes to ADS that is preventing Office from running correctly?
Oh by the way the normal AppLocker is blocking this application is never seen.

Posted in Events, Security • Tags: , Top Of Page

Write a comment

You need to login to post comments!