Exemple #1
0
        public void TestWhitelistedApplications()
        {
            AppListCheck alc = new AppListCheck(getConfig());

            Func <string, bool> isAppInWhitelist = (path) => alc.IsAppInWhitelist(path, System.IO.Path.GetFileName(path));

            Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\Dropbox\dropbox.exe"));
            Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\eclipse\java\jre.exe"));
            Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\IDrive\backup-v300.exe"));

            Assert.IsFalse(isAppInWhitelist(@"C:\Program Files\IDrive\backup\invalid.exe"));
        }
Exemple #2
0
        public void TestNullBehavior()
        {
            DefaultPolicyConfiguration configuration = setupConfiguration(true);

            AppListCheck alc = new AppListCheck(configuration);

            Func <string, bool> isAppInBlacklist = (path) => alc.IsAppInBlacklist(path, System.IO.Path.GetFileName(path));

            bool blacklistVal = isAppInBlacklist(@"C:\Program Files\Google\Chrome\chrome.exe");
            bool whitelistVal = alc.IsAppInWhitelist(@"C:\Program Files\Google\Chrome\chrome.exe", "chrome.exe");

            // The result doesn't matter, we just don't want any NullReferenceExceptions occurring.
        }
Exemple #3
0
        public void TestApplicationWhitelists()
        {
            DefaultPolicyConfiguration configuration = setupConfiguration();

            AppListCheck alc = new AppListCheck(configuration);

            Func <string, bool> isAppInWhitelist = (path) => alc.IsAppInWhitelist(path, System.IO.Path.GetFileName(path));

            Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\Dropbox\dropbox.exe"));
            Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\eclipse\java\jre.exe"));
            Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\IDrive\backup-v300.exe"));

            Assert.IsFalse(isAppInWhitelist(@"C:\Program Files\IDrive\backup\invalid.exe"));

            Assert.IsTrue(isAppInWhitelist(@"d:\program files\dropbox\dropbox.exe"));
            Assert.IsTrue(isAppInWhitelist(@"D:\PROGRAM FILES (X86)\DROPBOX\DROPBOX.EXE"));

            Assert.IsTrue(isAppInWhitelist(@"D:\PROGRAM FILES (X86)\IDRIVE\BACKUP-V301.EXE"));

            Assert.IsFalse(isAppInWhitelist(@"D:\PROGRAM FILES (X86)\IDRIVE\BACKUP-V301.EXE\trick.exe"));
        }
        /// <summary>
        /// Called whenever the Engine want's to check if the application at the supplied absolute
        /// path should have its traffic forced through itself or not.
        /// </summary>
        /// <param name="appAbsolutePath">
        /// The absolute path to an application that the filter is inquiring about.
        /// </param>
        /// <returns>
        /// True if the application at the specified absolute path should have its traffic forced
        /// through the filtering engine, false otherwise.
        /// </returns>
        public FirewallResponse OnAppFirewallCheck(FirewallRequest request)
        {
            if (!IsStandardHttpPort(request.RemotePort))
            {
                return(new FirewallResponse(FirewallAction.DontFilterApplication, null));
            }

            if (appListCheck == null && m_provider.PolicyConfiguration != null)
            {
                appListCheck = new AppListCheck(m_provider.PolicyConfiguration);
            }

            // XXX TODO - The engine shouldn't even tell us about SYSTEM processes and just silently
            // let them through.
            if (request.BinaryAbsolutePath.OIEquals("SYSTEM"))
            {
                return(new FirewallResponse(FirewallAction.DontFilterApplication));
            }

            // Lets completely avoid piping anything from the operating system in the filter, with
            // the sole exception of Microsoft edge.
            if ((request.BinaryAbsolutePath.IndexOf("MicrosoftEdge", StringComparison.OrdinalIgnoreCase) == -1) && request.BinaryAbsolutePath.IndexOf(@"\Windows\", StringComparison.OrdinalIgnoreCase) != -1)
            {
                lock (s_foreverWhitelistedApplications)
                {
                    if (s_foreverWhitelistedApplications.Contains(request.BinaryAbsolutePath))
                    {
                        return(new FirewallResponse(FirewallAction.DontFilterApplication));
                    }
                }

                // Here we'll simply check if the binary is signed. If so, we'll validate the
                // certificate. If the cert is good, let's just go and bypass this binary altogether.
                // However, note that this does not verify that the signed binary is actually valid
                // for the certificate. That is, it doesn't ensure file integrity. Also, note that
                // even if we went all the way as to use WinVerifyTrust() from wintrust.dll to
                // completely verify integrity etc, this can still be bypassed by adding a self
                // signed signing authority to the windows trusted certs.
                //
                // So, all we can do is kick the can further down the road. This should be sufficient
                // to prevent the lay person from dropping a browser into the Windows folder.
                //
                // Leaving above notes just for the sake of knowledge. We can kick the can pretty
                // darn far down the road by asking Windows Resource Protection if the file really
                // belongs to the OS. Viruses are known to call SfcIsFileProtected in order to avoid
                // getting caught messing with these files so if viruses avoid them, I think we've
                // booted the can so far down the road that we need not worry about being exploited
                // here. The OS would need to be funamentally compromised and that wouldn't be our fault.
                //
                // The only other way we could get exploited here by getting our hook to sfc.dll
                // hijacked. There are countermeasures of course but not right now.

                // If the result is greater than zero, then this is a protected operating system file
                // according to the operating system.
                if (SFC.SfcIsFileProtected(IntPtr.Zero, request.BinaryAbsolutePath) > 0)
                {
                    lock (s_foreverWhitelistedApplications)
                    {
                        s_foreverWhitelistedApplications.Add(request.BinaryAbsolutePath);
                    }

                    return(new FirewallResponse(FirewallAction.DontFilterApplication));
                }
            }

            try
            {
                m_provider.PolicyConfiguration.PolicyLock.EnterReadLock();

                if (m_provider.PolicyConfiguration.BlacklistedApplications.Count == 0 && m_provider.PolicyConfiguration.WhitelistedApplications.Count == 0)
                {
                    // Just filter anything accessing port 80 and 443.
                    m_logger.Debug("1Filtering application: {0}", request.BinaryAbsolutePath);
                    return(new FirewallResponse(FirewallAction.FilterApplication));
                }

                var appName = Path.GetFileName(request.BinaryAbsolutePath);

                if (m_provider.PolicyConfiguration.WhitelistedApplications.Count > 0)
                {
                    bool inList = appListCheck.IsAppInWhitelist(request.BinaryAbsolutePath, appName);

                    if (inList)
                    {
                        return(new FirewallResponse(FirewallAction.DontFilterApplication));
                    }
                    else
                    {
                        // Whitelist is in effect, and this app is not whitelisted, so force it through.
                        m_logger.Debug("2Filtering application: {0}", request.BinaryAbsolutePath);
                        return(new FirewallResponse(FirewallAction.FilterApplication));
                    }
                }

                if (m_provider.PolicyConfiguration.BlacklistedApplications.Count > 0)
                {
                    bool inList = appListCheck.IsAppInBlacklist(request.BinaryAbsolutePath, appName);

                    if (inList)
                    {
                        m_logger.Debug("3Filtering application: {0}", request.BinaryAbsolutePath);
                        return(new FirewallResponse(FirewallAction.FilterApplication));
                    }

                    return(new FirewallResponse(FirewallAction.DontFilterApplication));
                }

                // This app was not hit by either an enforced whitelist or blacklist. So, by default
                // we will filter everything. We should never get here, but just in case.

                m_logger.Debug("4Filtering application: {0}", request.BinaryAbsolutePath);
                return(new FirewallResponse(FirewallAction.FilterApplication));
            }
            catch (Exception e)
            {
                m_logger.Error("Error in {0}", nameof(OnAppFirewallCheck));
                LoggerUtil.RecursivelyLogException(m_logger, e);
                return(new FirewallResponse(FirewallAction.DontFilterApplication));
            }
            finally
            {
                m_provider?.PolicyConfiguration?.PolicyLock?.ExitReadLock();
            }
        }