Forum Discussion
Applocker blocking certain 1pw exe files
- 2 months ago
Hi all and thanks everyone for contributing ideas and suggestions. To sum it up:
- 1password is in the process of changing the way files are being signed and while this is ongoing, exe files will have two certificates ("dual signed")
- Applocker will block those dual signed files (at least the 1password files, I havent tested this on other files) when allowd by a "Publisher Rule"
- As a workaround it is possible to allow the files via "File Hash Rules" (meaning: every single file = one rule per file)
- After 1password is done transitioning the signing process, the dual signing will stop and therefore Applocker Publisher Rules are likely to function again as they should
This is what the Support wrote:
With regards to publisher certificates, the team are transitioning to using Microsoft's Trusted Signing, because of that, the installer is currently signed with two certificates, with the MS Trusted Signing one being the second certificate. The first certificate is nearing expiration and will be removed from the installer in the near future (according to the Development team this will be end of this month or early next month).
It's possible that AppLocker currently may not support dual certificates (they have supported it in the past), it may be rejecting the first certificate due to it nearing expiration, or simply fails to recognize publisher rules when dual-signed binaries are involved. In the interim you'll likely need to use hash rules for the 1Password app in order to allow it with AppLocker. Although I don't have a specific timeline to share or can't make any promises as the landscape may change, given regular update cadence I expect no more than the next two updates will contain dual certificates.
Hi David,
Any luck? We've started having the same issue in our environment.
- david_elias2 months agoNew Contributor
Hi Jake, unfortunately not. Also posted on https://www.reddit.com/r/sysadmin/comments/1knkka5/applocker_prevents_execution_of_exefile_despite/ and https://answers.microsoft.com/en-us/windows/forum/all/applocker-prevents-execution-of-exe-file-despite/4a308b44-8c51-4ae1-9a46-3c96b2cb2c43 but still no luck.
I suspected the blocked file to have a different signature / certificate compared to a working exe, but Powershell says it is the same:One difference though, the blocked file has two signatures for some reason:
Applocker Publisher rules will be enforced by matching the file signature, so not sure if that´s something to investigate further? Not very likely considering the fact that Applocker recognizes the same Publisher information on both files:
In case you have more ideas or even a solution, I´d love to hear it!Best,
David- Jake_Evans2 months agoNew Contributor
Hi David,
I got a ticket open with 1Password support and on their suggestion generated a new file hash rule, which worked.
I had tried this previously for another .exe by 1password that was being blocked (the browser helper), which didn't work, so didn't expect it to work here either, but it did.
- david_elias2 months agoNew Contributor
Thanks Jake! I worked for me, too, but in our case it is just a temporary workaround because with the File Hash we would need to do rules for every new version, at least.
Still hoping on the 1pw Support and Dev Team to take a look at the new signing process for windows.