How to "Virus-Proof" Your Computer With Windows AppLocker (Ultimate Guide)
Ғылым және технология
Well, at least as close to virus-proof as you can get... 🤔
⇒ Become a channel member for special emojis, early videos, and more! Check it out here: kzread.infojoin
• Download the policies and filters I mentioned here: drive.google.com/file/d/1RwZJ...
(Current resource pack version = 6, Updated 2/14/2024)
📝Additional Notes:
• To get AppLocker policies to actually work, you might have to enable the "Application Identity" service and set it to start automatically if it isn't already. This requires a special command because it is a protect process (as opposed to just opening the services menu). To do this, run the command in command prompt as admin:
sc.exe config appidsvc start= auto
• It turns out you CAN actually add the Group Policy settings for PowerShell core without having to install PowerShell Core. I've added instructions to the ReadMe file in the resource pack in the description, but basically you download the latest zip release from Microsoft's PowerShell GitHub, and copy the files "PowerShellCoreExecutionPolicy.admx" and "PowerShellCoreExecutionPolicy.adml" into the directories "C:\Windows\PolicyDefinitions" and "C:\Windows\PolicyDefinitions\en-US" respectively.
• I figured this went without saying, but obviously if you download something malicious and add a rule to allow it, you will be infected. You still must ALWAYS be vigilant. And you should still also use an Antivirus, it’s not a replacement for that.
▼ Time Stamps: ▼
0:00 - Intro
2:21 - Video Chapters Outline
3:37 - Creating a Shortcut to AppLocker
5:17 - AppLocker Initial Setup
6:17 - Creating AppLocker Log in Event Viewer
9:02 - AppLocker Default Rules
10:44 - File Types For Different Rule "Collections"
12:26 - Adding Rules & How They Work
26:10 - Deny Rules
27:22 - More Rules I Added
31:17 - Allowing Specific Signed Files
32:30 - Why Add Rules Blocking PowerShell?
35:27 - Importing the Policy
36:10 - Note About "Policy Test" Files
36:52 - Note If You Don't Have PowerShell 7
37:41 - AppLocker With Powershell (IMPORTANT)
40:33 - Disabling PowerShell 2.0
40:59 - Setting PowerShell Execution Policy
43:54 - Blocking Bypass of Execution Policy
46:05 - PowerShell Script Block Logging
46:57 - PowerShell 7 Has Separate Execution Policies
47:36 - Setting Up PowerShell 7 Execution Policies
49:46 - Which PowerShell MachinePolicy Should You Use?
50:30 - How to Determine if a File is Signed
51:38 - Wrapping Up
Corrections:
@ 47:52 - If you don't have PowerShell 7 installed, you actually still can add the settings to Group Policy Editor. See instructions in the 'ReadMe' file in the resource pack in the description.
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Пікірлер: 318
I knew the video would be longer than average but not this long 😩 📝Notes: • Also I figured this went without saying, but obviously if you download something malicious and add a rule to allow it, you will be infected. You still must ALWAYS be vigilant. And you should still also use an Antivirus, it’s not a replacement for that. • To get AppLocker policies to actually work, you might have to enable the "Application Identity" service and set it to start automatically if it isn't already. This requires a special command because it is a protect process (as opposed to just opening the services menu). To do this, run the command in command prompt as admin: sc.exe config appidsvc start= auto • Turns out you CAN actually add the Group Policy settings for PowerShell core without having to install PowerShell Core. I've added instructions to the ReadMe file in the resource pack in the description, but basically you download the latest zip release from Microsoft's PowerShell GitHub, and copy the files "PowerShellCoreExecutionPolicy.admx" and "PowerShellCoreExecutionPolicy.adml" into the directories "C:\Windows\PolicyDefinitions" and "C:\Windows\PolicyDefinitions\en-US" respectively.
@faelixy5
10 ай бұрын
it’s 52 minutes but ok-
@_SJ
10 ай бұрын
Looooonnngggg 😊
@ethimself5064
10 ай бұрын
🤣🤣
@CosmicCitiZenOfficial
10 ай бұрын
You made a Documentary....😄👏
@pyp2205
10 ай бұрын
Woah, I didn't realize how long this video is until I saw this comment.
I don't know why everybody is emphasizing the duration of this video - for me - it was like watching a super interesting, informative and well-written documentary - the time just flew buy! Excellent work, thank you so much for your effort! Greetings from Croatia :)
@-_lIl_-
10 ай бұрын
is it just me or did this 52 minute tutorial feel like a 10 minute tutorial? "Good tutorials feel like they took a fraction of the actual time it took to complete it. Bad tutorials are the same, except the reason is because of leaving early due to how bad it is instead of being due to how good it is."
@GamerTheMK
2 ай бұрын
Same !
let's appreciate how much effort this guy spent to help us virus-proof our computers
@yashprogamer647
10 ай бұрын
Yes
@ppanigrahi
10 ай бұрын
Fully Agree
@gabe_0x
10 ай бұрын
As useful as these tools are, the single best anti-virus you can have is your own common sense.
@OGuiBlindao
10 ай бұрын
@@gabe_0xNot when a trusted program randomly downloads malware to your pc
@Splarkszter
2 ай бұрын
@@gabe_0x Everyone knows that but the human factor will ALWAYS fail. Social Engineering is too powerful because they exploit people in all ways imaginable. Hardening our systems will help as an early warning system, and if you actually put attention to the video, AppLocker is the single best tool ever for this kind of thing. Now i wish to know a HID whitelist system.
The hero we didn't know we deserved
@ziphhy
10 ай бұрын
He used to be the villain, happy he has become the hero.
@random_person618
10 ай бұрын
@@ziphhyMe too.
@chipproductions1510
10 ай бұрын
Who says we deserve him?
@alphainfinityX
10 ай бұрын
NGL I use to love the villain side of him back in the day
@SamuelViagus
10 ай бұрын
Yes
Here's what I did for my grandma's PC, very simple: - Require my own password for Administrative privileges so she can't do that - Set up a single browser so she has no access to other browsers, with downloads always dropping into the Downloads folder - Wrote a script to instantly delete any executables that enter the Downloads folder My beloved virus addict is now sober :)
Hey ThioJoe! I appreciate you making this more detailed and longer! 🎉
This is amazing, thanks so much for taking the time and putting so much effort into this. You're a legend!
You know @ThioJoe has a gift for teaching and explaining when the whole 50 minute video felt like 10 and you remember fairly well most of the process! Totally appreciate this video.
Congrats on 3M subscribers! Well deserved!
Best 50 minute of my time, thanks a lot TJ, definitely learned a lot.
I swear this video is so informative and useful it’s something you could probably charge for and make thousands off of but you were nice enough to give it to everyone for free, what a guy
We've been waiting! Thank you Thio!! 🎉🎉🎉
This is one of those videos that I've saved up to watch, as you were asking in a recent poll. Thanks for the detailed explanation!
THANK YOU SO MUCH! I've been waiting for a tutorial on how to set this up. Great video as always!
Awesome video ThioJoe! Structured well like a course. 👍
one of the best tutorials for applocker, even one of the most in-depth well explained tutorial in general
@yashprogamer647
10 ай бұрын
I know
I have no intention to do any of this myself but I watched it all You made it very engaging and informative, I didn't noticed the length until it was almost done I wont mind more "complex" tutorials like this on in the future
@MRCREEP-gj3xr
9 ай бұрын
that's why you blush the whole time
@thiojoe, this was one of the best mapped out videos covering a relatively complex topic and one with lots of settings. We are implementing this, and your video has been shared to the team as the best tutorial about it.
Exactly what I was waiting for 🎉 Many, many thanks Thio ✌️
Thank you for think of us and sharing this knowledge! You are the BEST!! I made the changes on my PC and hopefully the random file explorer windows opening will stop.
This might be the best video on your channel! I wanted to thank you for your effort doing this!
Thank you for this very comprehensive tutorial, ThioJoe. It is much appreciated.
I think this is your second longest video. Nothing beats that 2 hour one
Thank you so much for this detailed guide. I was able to follow all of your instructions easily. I understood each and every step depicted in your video. By the way, I'm a big fan of your KZread Channel. You make great videos. It's always a great time whenever I watch any of your videos. 😁
This video structure is great and you explain it very well. Thanks for taking the time
Holy moly this guy is insane! Take so much time and effort to make us safer
Love the content you have been putting out, really made me understand this underused feature!
"Comprehensive tutorial" is an understatement!
This video seems excalty what I was looking for. You saved me a lot of reading and studying time! Thank you very much!!!
I'm really fascinated by this *type* of security. Antiviruses don't exite me, but this idea of reducing attack surface and plugging security holes is suuper amazing to me. I'd love to see more similar stuff
@Lofote
10 ай бұрын
Yes, whitelisting is so muc more powerful than blacklisting, in fact antivirus solutions are not able to defeat the 100.000 of new attacks nowadays. Plus it doesnt slow the machine down anymore like AV solutions :)
An hour video... thanks man!
Another excellent how to video!! Many thanks. Had to enable “Application Identity” service to get AppLocker to work. However to get it to auto start.. Had to regedit and set its start to 2.
Very informative. Great job! Much appreciated.
Just what I was looking for! Great vid
Thank you for putting so much time into this
Just did it ! Enjoyed the entire video.
I appreciate the effort for this. Thank you Joe.
Awesome!! Unfortunately we wouldn't get rid of those pesky refund scammers with this but atleast we'd get away from ransomware and so on. Really great video, thanks!! Since I regularly reinstall my Windows I'm gonna have to delve deeper into how to transfer the settings to another computer, didn't know it was that easy!
52 minute ThioJoe video? Yes please! 🙂
@froggygaming84
10 ай бұрын
yes
@_SJ
10 ай бұрын
@doubleWmemesYes, a few hours ago
@faelixy5
10 ай бұрын
wait what it’s published since 3 minutes but it says you posted this comment 12 hours ago
@CanDoesGames
10 ай бұрын
@@_SJ how did you even watch it before it was posted
@fundominant
10 ай бұрын
paid member @@CanDoesGames
Hi ThioJoe, I just wanted to say thank you, although I'll never do any of what you've shown here. Just not Tech savvy enough.I do realize how much time you have spent on video. Thanks
Thanks so much! Glad I was patient :)
best time spent on windows security, thank you for sharing!
Thanks for the long and detailed video, will be testing this out... I'm curious how this is implemented on a domain (as far as scripts go, what has priority.. still local machine?) Keep up the great work!
Top tip if you are ever applying AppLocker policy in an AD domain NEVER and i mean NEVER edit a live policy always export the rules edit them locally and then re import. If something goes wrong ( and it can ) you can corrupt the policy and brick machines. I learned that the hard way, bricked about 20 machines . The best way to fix this is to switch to editing rules via configuration manager.
@Lofote
10 ай бұрын
With admin rights you can unbrick the machines, in the last instance you can boot from windows cd, shift f10, regedit, mount the local registry hives and remove the applocker rules :)
@Lofote
10 ай бұрын
Oh and to prevent this happening: allow wverything for admins, like the default templats suggests. I mean admins can do whatever they want anyway, effectively delete rules, thats why there is little sense in deleting the admincandoall rule :)
I finished. Thank you for the great video and the detailed guide.
Well done, Thio! Another suggestion for a video would be about Azure Information Protection and DLP (Data Loss Prevention). What files are protected, what can be managed, tracking files on disk and in transit etc.
Thank you for your hard work. Much appreciated.
Love this, suggestion/question for the import files you have (thanks btw), any reason you can't replace all of the WHATEVERUSERNAME placeholders with %USERNAME%
May god bless you thio. Have a great day
Great section on allow and deny rules also 👍
One of my favorite youtubers
Awsome Video😀
thank you for this been wanting to know how this is set up
Super helpful video! Thank you very much. One thing I noticed is that some malware use a Microsoft certificate that is used to encrypt. Is AppLocker smart enough to not fall for that? Edit: There is a right-click option to "Automatically generate" also. How well does that work and what does it do?
Wow, awesome work! This is very technical but also very thorough. One thing I found was my Application Identity service was not running for some reason. Even though I'm logged in as admin I could not set it to run automatically. But found a PS script that was able to set it. :) This whole process seems a little "quirky" though. The audit event log doesn't seem to work for me. But when I change it to Enforce, then the events start showing. Microsoft is also so "fun" to try to figure out. :D
@TechHowYT
10 ай бұрын
Do you mind sharing that PS script? I'm having the same issue. I can get it to run on Windows 11 Pro, but not Windows 10 Pro. Very strange...
@Whitemike63
9 ай бұрын
You are logged as root. You are a hackers perfect target man. Linux does it right only when you need root, install a program and punch password you get 15 mins of root running. This is very dangerous having it 24/.
@sandalwood4271
7 ай бұрын
@@Whitemike63 In Windows, it works a bit differently. As far as I can tell, most users have admin-level control of the system by default (without editing group policy settings, of course), which isn't too dangerous because admin accounts, despite the implications in the name, don't actually have full system access, like the Linux root account. In fact, it's supposed to be extremely difficult to scale a user's system-wide authority to root-level in the first place.
You're excellent, Joe! I would love to share with you my motivational presentation about my life with Cerebral Palsy, and how tech has enabled me to lead a normal life online.
Great job, thanks!
perfect video thanks a lot i didn't even know what this tool do even after using windows for 15 years already 🤣
Thanks for the super paranoid virus guide, will be installing in my pc
Gotta commend you on the effort!
Is an allow for executable installer or other installer for example make it so a uac prompt doesn't show up when it normally would if no applocker was configured
Thank you so much!!!
Superb❤
Excellent!
Adding more application those can be use pro-actively: Simplewall or Portmaster Excellent firewall application
Is it feasible to devise a script that establishes an 'allow' rule for executing a specific application, alongside another script to subsequently revoke this 'allow' rule? This would enable me to proactively enable and disable applock rules for a particular application, both prior to and following its execution. Additionally, I'm interested in maintaining a default state of denying the execution of all applications and scripts.???? I'm just curious 🧐.
Ok, I watched every second and did that all. Now Im affraid to restart pc :D
Im really proud lol, I have made a Powershell script which I added to the context menu which allows me to on right clicking the file, instantly whitelisting it.
Thanks ThioJoe for this great content. For me the length of the video is very OK, considering the content. However, following this tutorial is a challenge. It's difficult to know how you arrived at certain point by the clicks of the mouse due to the speed and rate of zooming in and out. The movement of the mouse pointer on the screen is almost at the "speed of light". Maybe it's just me seeing it that way
@ThioJoe
10 ай бұрын
Yea I realized afterwards I wasn’t really explaining everything I was doing so I tried to add on-screen explanations at some point. Some parts might be helped by putting the video on 0.5x speed
i going around powershell execution policies with the classic command prompt (cmd). can it restrict it, too? or it is still a legacy security problem, which cannot be regulated other than turning it off completely?
Also when checking event viewer events in these custom views that just happened disappear even though other older events in other logs are still there.
If someone got trouble running a program, just take a look into event viewer to see which sub-program for example is getting blocked
Super helpful. The only problem is my Event Viewer isn't showing the audit logs at all. It's as if nothing is run.
I heard if you say your favorite youtuber 3 times you will get a hearted comment ThioJoe ThioJoe ThioJoe 👌
I noticed there a tons of DLLs that are not signed show they will be blocked. I also noticed that regedit the file you are using as a sample is also not signed? Will this cause a problem?
Thank you for making this video. I have a problem with my pc it's a dell optiplex 390, the monitor won't switch on. it just says no signal I don't know what to do but maybe if u can make a video that would really help thanks and have a nice day.
Great guide. I'm giving it a whirl, but I expect there'll be some teething issues when I fire up my software development tools, software on other hard drives, and Mod Organizer 2. Btw, I think on my system, AppBlocker didn't start checking rules until I started the "Application Identity" service (e.g. appidsvc ) and restarted. Either that or I just wasn't hitting the refresh button on the event log. It is getting a bit late...
@bokami3445
10 ай бұрын
I'm having a problem, the Application ID Service won't let me set to automatic? How did you accomplish it? Thanks
@hotlavatube
10 ай бұрын
@@bokami3445 Google "Configure the Application Identity service" and go to the link from microsoft. The page notes that "Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service Startup type to Automatic by using the Services snap-in. " They give you a command line to use in powershell. I'd give you the line, but you really shouldn't trust command lines from random youtubers! ;-)
Thankss !❤
"28 second" old, never been this early for a TJ video before, and a very interesting and informative video too! =D
@yashprogamer647
10 ай бұрын
Did you watch it
@Proferk
10 ай бұрын
ago*
@Alexus00712
10 ай бұрын
@@yashprogamer647I have now, it was very interesting and informative
I wasn't so paranoid until my avast antivirus was not protecting me, and the UI was bugged so i couldnt access it but in the ui it said that it was protecting me, but in the tray icon it said i wasnt. aa restart showed that my firewall was disabled and i IMMEDIATELY activated it and did a full virus scan. Now here I am, doing this regardless of the inconvenience of it. A few menu navigation clicks as an inconvenience is nothing compared to trying to remove dangerous malware from your computer and possibly spend hundreds to get it repaired if your not good with tech, and possibly even thousands if it cannot be removed and you have to buy a new pc. "Paranoia is not an inconvenience, it is your body's natural safeguard when it senses danger"
I have noticed an error at Creating a Shortcut to AppLocker at 3:43. The path you listed is correct, but you forgot to list "Windows Settings" after computer configuration in the red text box path
So can you make it so games and clients for steam to name a few? But lock everything else down?
Thank you for once again scratching my cybersecurity paranoia itch
Didn't watch the video yet, but may I ask if this app is similar to the security suit of lenovo thinkpad? I'm just buying a brand new thinkpad p1 and saw that there's an option to add lenovo's security suit (or something like this name, anyways, it's by lenovo), for 200$, are there any major advantages to one of the options? Thx in advance😊
@ThioJoe
10 ай бұрын
I am not familiar with that sorry, but I have to imagine it’s different because AppLocker is built directly into Windows itself. They might serve completely different purposes though.
Hey thio please do make a video on enabling windows defender app control (WDAC).
Hi, I don't have new window option when I right click on applocker. Is there a reason why or did I do something wrong in the steps? thanks.
Doesn't Steam set the permissions on some folders in its install directory to be modifiable without elevation? I imagine it would be difficult to configure rules properly to allow games to run but disallow malware from copying executables into the same directories as the games...
@futuza
10 ай бұрын
That's what the file hash exceptions are for. That said, very few malwares are going to try the trick of copying themselves into a game's directory to attempt to use that as a staging ground, so the possibility of that happening is pretty remote. Most malware authors are not going to be writing it to tailor to your specific security policies/install setup, but hitting broader targets and going for typically unprotected areas like the Windows directory or Program Files directory etc. since most malware is just trying to find as many vulnerable victims as possible and ignore hardened systems. It's certainly possible malware could be written to do that though. Real dangerous malware, like the kind the NSA or other state sponsored hacking organizations create, and not just script kiddie stuff, are going to use previously unknown zero-day vulnerabilities to get around security policies (such as the Windows AppLocker) rendering all of this useless against them. If you're being targeted specifically by the NSA though you're kinda just screwed at that point.
YO ALMOST ONE HOUR OF CONTENT???? I CANT WAIT
Hi! I think the toggle rule can change the path to %temp% instead of putting full path (C:\Users\Joe\Appdata\Local\Temp) on your rules.
@ThioJoe
10 ай бұрын
Normally you'd be right but AppLocker path rules actually have a limited set of variables that can be used, not all normal environment variables. See here: learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker
Great Video. I have on my pc Windows 10 Home. And I just installed Group policy on it with an elevated command prompt command from the internet.When i follow your video I can acces applocker there in the new Installed Group policy. Do you think that rules can be made to be used in Windows 10 Home?
@ThioJoe
10 ай бұрын
Unfortunately on Home even if you install the group policy editor with the trick, none of the settings will actually do anything
@johnpedersen8387
10 ай бұрын
Thanks for your answer ThioJoe :-)@@ThioJoe
Can you do a comparison between Applocker and Windows Application Control? And how to set up WDAC?
@ThioJoe
10 ай бұрын
I’m not as familiar with WDAC, but I have dabbled with it. It is harder to set up but has some advantages over AppLocker. The biggest problem is there is no GUI for WDAC.
@patricklechner1
10 ай бұрын
@@ThioJoe isn't it set through a program where you can create a customized script that enforces what it runs?
@kennethhusayn9354
10 ай бұрын
@@patricklechner1 You can manage WDAC through either the ConfigCI suite of PowerShell cmdlets, or you can create WDAC policies with the WDAC Wizard (which is a project maintained by Microsoft.) Edit: Despite that, managing WDAC through both of those options is still a pain, and there is not yet a full-automation solution for WDAC on the market.
@kennethhusayn9354
10 ай бұрын
WDAC can control apps that run in Kernel mode as well as User mode. (AppLocker just deals in User mode.) Also, if you create a signed WDAC policy and put it in the UEFI partition, then it becomes much harder for a hacker--even with admin privileges--to remove (unless they can get ahold of the signing certificate.) WDAC does NOT control .BAT scripts. (There's other minor differences in the file types that they maintain.) WDAC is applied to the whole device regardless of the user account, but AppLocker allows you to vary rule enforcement based on different user accounts. The logs for WDAC events are located in the Event Viewer -> in Applications and Services logs > Microsoft > Windows > CodeIntegrity > Operational. HOWEVER, logs for WDAC enforcement events involving scripts and MSI files are still located in the "AppLocker" location described in this video.
@patricklechner1
10 ай бұрын
@kennethhusayn9354 thank you so much
did 7-zip or bandzip have same Vulnerability with cve-2023-40477 being the winrar Vulnerability was find
Hi, I want to ask you something before setuping this applocker. Will it have any problems with my antivirus-BitDefender? Since bitdefender is already protecting the whole computer and runs its files in the background, I wanna ask if this tool will mess up and block BitDefender from properly working and doing its job? Since I have BitDefender Total I have a Firewall
@ThioJoe
10 ай бұрын
I had no problems using it with Bitdefender
@AaronSiegel001
2 ай бұрын
Same
It's a sandbox there was one I used for windows 7 called deep freeze it's a virtual environment nothing gets saved . Unless you create a folder that you can savee too.
Ever thought of putting some sort of filter in the system? If the cooling fluid is not under pressure then maybe a simple coffee filter could catch this stuff.
how about windows Unified Write Filter vs virus ? thank you !
Why create 2 MMC files when Event viewer and GPO AppLocker can be added in a single Console. From there just add some windows. I've got a console with a whole bunch of tools even some custom scripts that I can launch from the MMC.
The " sc.exe config appidsvc start= auto" gives me this error "[SC] OpenService FAILED 5: Access is denied." How do I fix this?
if anyone even doest see that this GPO settings wil working the Service "Application Identity" must be running else the rule changes doest take any effect it look like that it even take effect after using gpupdate /force
If i want only Google Chrome access the Chrome's cookie foler what rule should i make?