Forum Discussion

david_elias's avatar
david_elias
New Contributor
2 months ago
Solved

Applocker blocking certain 1pw exe files

Dear all, anyone here using Windows Applocker and having problems with (only certain) exe files? 

Executable files signed by Agilebits are allowed as per Publisher Rule but for some reason some exe files related to 1pw (Installer exe and Update exe for example) are being prevented from execution: 

I´ve seen a similar post in this community in regards to Applocker blocking 1pw files because of a problem with the file signature (revoked certificate). That doesn´t seem to be the case for my problem though, as PowerShells Get-Authenticodesignature command returns "valid" as certificate status.  

Any ideas? I´m happy to provide more context / details if necessary. 

Many thanks! 

 

windows
  • david_elias's avatar
    david_elias
    20 days ago

    Hi all and thanks everyone for contributing ideas and suggestions. To sum it up: 

    • 1password is in the process of changing the way files are being signed and while this is ongoing, exe files will have two certificates ("dual signed")
    • Applocker will block those dual signed files (at least the 1password files, I havent tested this on other files) when allowd by a "Publisher Rule"
    • As a workaround it is possible to allow the files via "File Hash Rules" (meaning: every single file = one rule per file)
    • After 1password is done transitioning the signing process, the dual signing will stop and therefore Applocker Publisher Rules are likely to function again as they should


    This is what the Support wrote:
    With regards to publisher certificates, the team are transitioning to using Microsoft's Trusted Signing, because of that, the installer is currently signed with two certificates, with the MS Trusted Signing one being the second certificate. The first certificate is nearing expiration and will be removed from the installer in the near future (according to the Development team this will be end of this month or early next month).
    It's possible that AppLocker currently may not support dual certificates (they have supported it in the past), it may be rejecting the first certificate due to it nearing expiration, or simply fails to recognize publisher rules when dual-signed binaries are involved. In the interim you'll likely need to use hash rules for the 1Password app in order to allow it with AppLocker. Although I don't have a specific timeline to share or can't make any promises as the landscape may change, given regular update cadence I expect no more than the next two updates will contain dual certificates.

     

12 Replies

  • david_elias's avatar
    david_elias
    New Contributor
    20 days ago

    Hi all and thanks everyone for contributing ideas and suggestions. To sum it up: 

    • 1password is in the process of changing the way files are being signed and while this is ongoing, exe files will have two certificates ("dual signed")
    • Applocker will block those dual signed files (at least the 1password files, I havent tested this on other files) when allowd by a "Publisher Rule"
    • As a workaround it is possible to allow the files via "File Hash Rules" (meaning: every single file = one rule per file)
    • After 1password is done transitioning the signing process, the dual signing will stop and therefore Applocker Publisher Rules are likely to function again as they should


    This is what the Support wrote:
    With regards to publisher certificates, the team are transitioning to using Microsoft's Trusted Signing, because of that, the installer is currently signed with two certificates, with the MS Trusted Signing one being the second certificate. The first certificate is nearing expiration and will be removed from the installer in the near future (according to the Development team this will be end of this month or early next month).
    It's possible that AppLocker currently may not support dual certificates (they have supported it in the past), it may be rejecting the first certificate due to it nearing expiration, or simply fails to recognize publisher rules when dual-signed binaries are involved. In the interim you'll likely need to use hash rules for the 1Password app in order to allow it with AppLocker. Although I don't have a specific timeline to share or can't make any promises as the landscape may change, given regular update cadence I expect no more than the next two updates will contain dual certificates.

     

  • 1P_Dave's avatar
    1P_Dave
    Icon for Moderator rankModerator
    30 days ago

    david_elias​ and Jake_Evans​ 

    I'm sorry that you're continuing to run into issues. We're currently transitioning how the team signs 1Password for Windows. So that our team can investigate the issues that you're running into with AppLocker rules further, and see whether the current certificate work might be related, please send an email to support@1Password.com and include a link to this thread. 

    After emailing in, you'll receive a reply from BitBot, our friendly robot assistant with a Support ID that looks something like [#ABC-12345-678]. Post that here, and I'll be able to locate your message and make sure it's gotten to the right place.

    -Dave

    • david_elias's avatar
      david_elias
      New Contributor
      27 days ago

      Hi Dave, thank you. I did as suggested and here is the Support ID: [#MWB-89624-457]

      • 1P_Dave's avatar
        1P_Dave
        Icon for Moderator rankModerator
        26 days ago

        Thank you for posting the Support ID. I see that my colleague has sent you a reply, please continue the conversation there. 

        -Dave

  • Jake_Evans's avatar
    Jake_Evans
    New Contributor
    31 days ago

    Hi David,

    Any luck? We've started having the same issue in our environment.

    • david_elias's avatar
      david_elias
      New Contributor
      30 days ago

      Hi Jake, unfortunately not. Also posted on https://www.reddit.com/r/sysadmin/comments/1knkka5/applocker_prevents_execution_of_exefile_despite/ and https://answers.microsoft.com/en-us/windows/forum/all/applocker-prevents-execution-of-exe-file-despite/4a308b44-8c51-4ae1-9a46-3c96b2cb2c43 but still no luck. 
      I suspected the blocked file to have a different signature / certificate compared to a working exe, but Powershell says it is the same: 

       

      One difference though, the blocked file has two signatures for some reason: 

      Applocker Publisher rules will be enforced by matching the file signature, so not sure if that´s something to investigate further? Not very likely considering the fact that Applocker recognizes the same Publisher information on both files: 


      In case you have more ideas or even a solution, I´d love to hear it! 

      Best, 
      David

      • Jake_Evans's avatar
        Jake_Evans
        New Contributor
        30 days ago

        Hi David,

         

        I got a ticket open with 1Password support and on their suggestion generated a new file hash rule, which worked. 

        I had tried this previously for another .exe by 1password that was being blocked (the browser helper), which didn't work, so didn't expect it to work here either, but it did. 

         

         

         

  • 1P_Dave's avatar
    1P_Dave
    Icon for Moderator rankModerator
    2 months ago

    Hello david_elias​! 👋

    I'm sorry that you're unable to install 1Password due to AppLocker. I'm not an expert with AppLocker but error 8004 seems to indicate that 1Password's installer is being blocked by an AppLocker rule that you, or your IT team has configured. You can find more information on Microsoft's website: Review the AppLocker logs in Windows Event Viewer

    Note: The above link was created and is maintained by a third-party and I can't vouch for its accuracy. 

    As a first step, I suggest deleting the 1Password installer from your system and restarting your Windows device. Then download a new installer from our website. If you run into the same issue with the new installer then I recommend reaching out to your IT team, or Microsoft Support, so that they can help troubleshoot your AppLocker configuration further. 

    Let me know if there's any other information that I can provide from the 1Password end of things. 

    -Dave

    • Jake_Evans's avatar
      Jake_Evans
      New Contributor
      31 days ago

      Hi Dave,

      I have started having the same issue in our environment, we have had 1password allowed for quite some time and never had an issue until now. I have since allowed via signature, path rule, and file hash, but 1password refuses to run.

      is it possible that there is any kind of issue with the certificate? I note that the signing time is Tuesday, 13 of May which roughly coincides with when this started occurring for us. 

      -Jake