It has been five years since the v3 release of the ‘Application Whitelisting Auditor’ and is it well overdue for a refresh. The auditor is a free utility developed designed to comprehensively test application allowlists for weaknesses and misconfigurations, regardless of vendor. It achieves this by performing automated file load tests and identifies areas on a system where untrusted code can successfully execute.
Meeting these requirements when it comes to allowlisting was key when creating the latest version of the auditor.
While visually the auditor looks similar in form to the previous iteration, there was a heavy emphasis placed on function, this required the internals of the utility to be completely re-written
Broader File Type Support
Attackers increasingly leverage script file types to achieve their objectives, in order to find configuration gaps the utility now supports the verification of Powershell (.ps1), HTML Application (.hta), VB Script (.vbs), Windows Installer (.msi), Compiled HTML (.chm) and Control Panel Applet (.cpl) file types.
Constrained Language Mode (CLM) Validation
Airlock’s flagship allowlisting product introduced Powershell Constrained Language mode support in v5.2. To complement this, the Application Allowlisting Auditor v4 checks if Powershell code can (or can’t) execute and also detects the language mode of the execution.
Aligned With Industry Standards
The Australian Cyber Security Centre’s (ACSC) Essential 8 is based on a maturity model, which helps ensure that security controls are implemented to a certain standard. Version 4 of the Application Allowlisting Auditor updates reporting to align directly with the ACSC Essential 8 – Maturity Level 1 application control requirements.
These requirements and the wider ACSC E8 Maturity Model can be viewed here: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
Improved Reporting
The previous auditors reporting left… room for improvement. Version 4 provides high level file execution statistics in order to see at a glance test results.
There are now two test modes within the auditor:
The first is a ‘Quick Test’ mode which tests folder locations that are commonly exploited by attackers (think temporary directories and other user-writeable locations that don’t require administrative privilege). It also allows the user to specify a single folder path for spot-checking.
The second mode is a ‘Complete Test’ which validates all folder locations on the system, this test has a longer run time but is comprehensive. Users of the auditor may note that some script file types are not supported in this mode. Unfortunately, this limitation was added due to the significant run time when launching script files on every folder of a system. This is something Airlock Digital will look to improve in future releases if workarounds can be identified.
Cleanup
One common item of feedback from the previous auditor was that it failed to ‘clean up’ test files correctly in some instances. This has been resolved in this release. In the event file permissions allow writing but not deleting of test files, the auditor will inform the user that manual cleanup is required and provide the relevant folder locations.
We hope that regardless of what allowlisting software you are using, that this utility helps improve your implementation and drive greater security within your environment. If you have any feedback, please don’t hesitate to let us know.
Download: Current Version: v4.0
Release Date: XX/10/2024
File Size: 3631 KB
Dependency: Microsoft .NET Framework v4.0+
SHA1: a817e3192eb50bcbf83d97062b1dd850959665eb
SHA256: 8684ad0b39c4d3a9b4bcf922647d2c3d978c9468e73f8e6e7198229dc3cbee02