I'm implementing Software Restriction Policy on our workstations. The policy is to block everything except a list of white listed paths.
I'm trying to white list a directory inside Thunderbird user's profile to allow Lightning extension to work. The path is %APPDATA%\Roaming\Thunderbird\Profiles\*\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll.
The user's profile name is randomly generated, so I need a wildcard.
Unfortunately, this doesn't seem to work because of the wildcard. The DLL continues to be blocked by SRP.
I also tried to white list the certificate (the DLL is signed by Mozilla certificate), but this doesn't work. Maybe this apply only to signed .exe?
I white listed the hash for the moment, but this will require maintenance after each release of Thunderbird, so I would prefer to white list the path instead.
Applocker is not an option, we are using Windows 10 Pro.
Any idea?
I was facing the same problem few minutes ago, and now I think the solution is simpler than you think.
become:
(without expliciting the "Roaming" subfolder, since APPDATA already resolves it.)
Anyway, IMHO, this expose to a targeted attack, since that DLL will remain user-writable.
Suggestions are welcome. ;-)
file a bug report with Mozilla!
NEVER define path rules with components like "%APPDATA%" which are under full control of the user (here both the variable and the directory are).
NEVER define registry path rules with such components too.
define a hash or a certificate rule for the DLL!