public void TestWhitelistedApplications()
{
AppListCheck alc = new AppListCheck(getConfig());
Func <string, bool> isAppInWhitelist = (path) => alc.IsAppInWhitelist(path, System.IO.Path.GetFileName(path));
Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\Dropbox\dropbox.exe"));
Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\eclipse\java\jre.exe"));
Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\IDrive\backup-v300.exe"));
Assert.IsFalse(isAppInWhitelist(@"C:\Program Files\IDrive\backup\invalid.exe"));
}
public void TestNullBehavior()
{
DefaultPolicyConfiguration configuration = setupConfiguration(true);
AppListCheck alc = new AppListCheck(configuration);
Func <string, bool> isAppInBlacklist = (path) => alc.IsAppInBlacklist(path, System.IO.Path.GetFileName(path));
bool blacklistVal = isAppInBlacklist(@"C:\Program Files\Google\Chrome\chrome.exe");
bool whitelistVal = alc.IsAppInWhitelist(@"C:\Program Files\Google\Chrome\chrome.exe", "chrome.exe");
// The result doesn't matter, we just don't want any NullReferenceExceptions occurring.
}
public void TestApplicationWhitelists()
{
DefaultPolicyConfiguration configuration = setupConfiguration();
AppListCheck alc = new AppListCheck(configuration);
Func <string, bool> isAppInWhitelist = (path) => alc.IsAppInWhitelist(path, System.IO.Path.GetFileName(path));
Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\Dropbox\dropbox.exe"));
Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\eclipse\java\jre.exe"));
Assert.IsTrue(isAppInWhitelist(@"C:\Program Files\IDrive\backup-v300.exe"));
Assert.IsFalse(isAppInWhitelist(@"C:\Program Files\IDrive\backup\invalid.exe"));
Assert.IsTrue(isAppInWhitelist(@"d:\program files\dropbox\dropbox.exe"));
Assert.IsTrue(isAppInWhitelist(@"D:\PROGRAM FILES (X86)\DROPBOX\DROPBOX.EXE"));
Assert.IsTrue(isAppInWhitelist(@"D:\PROGRAM FILES (X86)\IDRIVE\BACKUP-V301.EXE"));
Assert.IsFalse(isAppInWhitelist(@"D:\PROGRAM FILES (X86)\IDRIVE\BACKUP-V301.EXE\trick.exe"));
}
/// <summary>
/// Called whenever the Engine want's to check if the application at the supplied absolute
/// path should have its traffic forced through itself or not.
/// </summary>
/// <param name="appAbsolutePath">
/// The absolute path to an application that the filter is inquiring about.
/// </param>
/// <returns>
/// True if the application at the specified absolute path should have its traffic forced
/// through the filtering engine, false otherwise.
/// </returns>
public FirewallResponse OnAppFirewallCheck(FirewallRequest request)
{
if (!IsStandardHttpPort(request.RemotePort))
{
return(new FirewallResponse(FirewallAction.DontFilterApplication, null));
}
if (appListCheck == null && m_provider.PolicyConfiguration != null)
{
appListCheck = new AppListCheck(m_provider.PolicyConfiguration);
}
// XXX TODO - The engine shouldn't even tell us about SYSTEM processes and just silently
// let them through.
if (request.BinaryAbsolutePath.OIEquals("SYSTEM"))
{
return(new FirewallResponse(FirewallAction.DontFilterApplication));
}
// Lets completely avoid piping anything from the operating system in the filter, with
// the sole exception of Microsoft edge.
if ((request.BinaryAbsolutePath.IndexOf("MicrosoftEdge", StringComparison.OrdinalIgnoreCase) == -1) && request.BinaryAbsolutePath.IndexOf(@"\Windows\", StringComparison.OrdinalIgnoreCase) != -1)
{
lock (s_foreverWhitelistedApplications)
{
if (s_foreverWhitelistedApplications.Contains(request.BinaryAbsolutePath))
{
return(new FirewallResponse(FirewallAction.DontFilterApplication));
}
}
// Here we'll simply check if the binary is signed. If so, we'll validate the
// certificate. If the cert is good, let's just go and bypass this binary altogether.
// However, note that this does not verify that the signed binary is actually valid
// for the certificate. That is, it doesn't ensure file integrity. Also, note that
// even if we went all the way as to use WinVerifyTrust() from wintrust.dll to
// completely verify integrity etc, this can still be bypassed by adding a self
// signed signing authority to the windows trusted certs.
//
// So, all we can do is kick the can further down the road. This should be sufficient
// to prevent the lay person from dropping a browser into the Windows folder.
//
// Leaving above notes just for the sake of knowledge. We can kick the can pretty
// darn far down the road by asking Windows Resource Protection if the file really
// belongs to the OS. Viruses are known to call SfcIsFileProtected in order to avoid
// getting caught messing with these files so if viruses avoid them, I think we've
// booted the can so far down the road that we need not worry about being exploited
// here. The OS would need to be funamentally compromised and that wouldn't be our fault.
//
// The only other way we could get exploited here by getting our hook to sfc.dll
// hijacked. There are countermeasures of course but not right now.
// If the result is greater than zero, then this is a protected operating system file
// according to the operating system.
if (SFC.SfcIsFileProtected(IntPtr.Zero, request.BinaryAbsolutePath) > 0)
{
lock (s_foreverWhitelistedApplications)
{
s_foreverWhitelistedApplications.Add(request.BinaryAbsolutePath);
}
return(new FirewallResponse(FirewallAction.DontFilterApplication));
}
}
try
{
m_provider.PolicyConfiguration.PolicyLock.EnterReadLock();
if (m_provider.PolicyConfiguration.BlacklistedApplications.Count == 0 && m_provider.PolicyConfiguration.WhitelistedApplications.Count == 0)
{
// Just filter anything accessing port 80 and 443.
m_logger.Debug("1Filtering application: {0}", request.BinaryAbsolutePath);
return(new FirewallResponse(FirewallAction.FilterApplication));
}
var appName = Path.GetFileName(request.BinaryAbsolutePath);
if (m_provider.PolicyConfiguration.WhitelistedApplications.Count > 0)
{
bool inList = appListCheck.IsAppInWhitelist(request.BinaryAbsolutePath, appName);
if (inList)
{
return(new FirewallResponse(FirewallAction.DontFilterApplication));
}
else
{
// Whitelist is in effect, and this app is not whitelisted, so force it through.
m_logger.Debug("2Filtering application: {0}", request.BinaryAbsolutePath);
return(new FirewallResponse(FirewallAction.FilterApplication));
}
}
if (m_provider.PolicyConfiguration.BlacklistedApplications.Count > 0)
{
bool inList = appListCheck.IsAppInBlacklist(request.BinaryAbsolutePath, appName);
if (inList)
{
m_logger.Debug("3Filtering application: {0}", request.BinaryAbsolutePath);
return(new FirewallResponse(FirewallAction.FilterApplication));
}
return(new FirewallResponse(FirewallAction.DontFilterApplication));
}
// This app was not hit by either an enforced whitelist or blacklist. So, by default
// we will filter everything. We should never get here, but just in case.
m_logger.Debug("4Filtering application: {0}", request.BinaryAbsolutePath);
return(new FirewallResponse(FirewallAction.FilterApplication));
}
catch (Exception e)
{
m_logger.Error("Error in {0}", nameof(OnAppFirewallCheck));
LoggerUtil.RecursivelyLogException(m_logger, e);
return(new FirewallResponse(FirewallAction.DontFilterApplication));
}
finally
{
m_provider?.PolicyConfiguration?.PolicyLock?.ExitReadLock();
}
}