Airlock Blog

Airlock Digital – Allowlisting Auditor v4

Written by David Cottingham | 8 December 2023

Airlock Digital – Allowlisting Auditor v4 

Today an updated v4 release of the auditor is available,
containing highly requested improvements.

It has been five years since the v3 release of the ‘Application Whitelisting Auditor’ and is it well overdue for a refresh. The auditor is a free utility developed designed to comprehensively test application allowlists for weaknesses and misconfigurations, regardless of vendor. It achieves this by performing automated file load tests and identifies areas on a system where untrusted code can successfully execute.

Why is this utility needed?

As security practitioners at heart, Airlock Digital understands the importance of ensuring suitability of not only the software that it produces but also that of the wider endpoint security industry. It’s extremely important that practitioners implementing defensive security controls have:
  • -An easy way to validate that endpoint security is delivering the intended security outcome;
  • A way to identify policy gaps that could be used by attackers to bypass security controls; and
  • Independent methods to demonstrate to auditors that their implementation is effective.

Meeting these requirements when it comes to allowlisting was key when creating the latest version of the auditor.

What is new?

While visually the auditor looks similar in form to the previous iteration, there was a heavy emphasis placed on function, this required the internals of the utility to be completely re-written

Notable changes

Broader File Type Support

Attackers increasingly leverage script file types to achieve their objectives, in order to find configuration gaps the utility now supports the verification of Powershell (.ps1), HTML Application (.hta), VB Script (.vbs), Windows Installer (.msi), Compiled HTML (.chm) and Control Panel Applet (.cpl) file types.

Constrained Language Mode (CLM) Validation

Airlock’s flagship allowlisting product introduced Powershell Constrained Language mode support in v5.2. To complement this, the Application Allowlisting Auditor v4 checks if Powershell code can (or can’t) execute and also detects the language mode of the execution.

Aligned With Industry Standards

The Australian Cyber Security Centre’s (ACSC) Essential 8 is based on a maturity model, which helps ensure that security controls are implemented to a certain standard. Version 4 of the Application Allowlisting Auditor updates reporting to align directly with the ACSC Essential 8 – Maturity Level 1 application control requirements.


These requirements and the wider ACSC E8 Maturity Model can be viewed here: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model

Improved Reporting

The previous auditors reporting left… room for improvement. Version 4 provides high level file execution statistics in order to see at a glance test results.

Test Modes

There are now two test modes within the auditor:

The first is a ‘Quick Test’ mode which tests folder locations that are commonly exploited by attackers (think temporary directories and other user-writeable locations that don’t require administrative privilege). It also allows the user to specify a single folder path for spot-checking.

The second mode is a ‘Complete Test’ which validates all folder locations on the system, this test has a longer run time but is comprehensive. Users of the auditor may note that some script file types are not supported in this mode. Unfortunately, this limitation was added due to the significant run time when launching script files on every folder of a system. This is something Airlock Digital will look to improve in future releases if workarounds can be identified.

Cleanup

One common item of feedback from the previous auditor was that it failed to ‘clean up’ test files correctly in some instances. This has been resolved in this release. In the event file permissions allow writing but not deleting of test files, the auditor will inform the user that manual cleanup is required and provide the relevant folder locations.


We hope that regardless of what allowlisting software you are using, that this utility helps improve your implementation and drive greater security within your environment. If you have any feedback, please don’t hesitate to let us know.

 

Download: Current Version: v4.0
Release Date: XX/10/2024
File Size: 3631 KB
Dependency: Microsoft .NET Framework v4.0+
SHA1: a817e3192eb50bcbf83d97062b1dd850959665eb
SHA256: 8684ad0b39c4d3a9b4bcf922647d2c3d978c9468e73f8e6e7198229dc3cbee02