I'm having trouble with AppLocker, particularly with how it's blocking .tmp files that follow this pattern: %OSDRIVE%PROGRAMDATA*DRIVERSTEMP*.TMP. Since these files aren't signed, I'm unable to use publisher rules. I've attempted various strategies like creating path rules with different wildcards, trying more specific folder paths, and even adding the signature of the host executable calling the .tmp file—but none have worked because AppLocker DLL rules assess the DLL itself rather than the process calling it. Is there a way to whitelist these unsigned .tmp files effectively? Additionally, can hash rules be added manually to the exported XML policy for re-import? I'm looking for alternatives to manage these ever-changing temp DLL-like files. Has anyone dealt with something similar or found a viable solution?
1 Answer
Dealing with unsigned, frequently changing DLLs is definitely tricky. You have two main options here. One is to implement a managed installer. With Windows Defender Application Control (WDAC), you can authorize anything deployed through it to be automatically allowed. However, if the installer downloads other files from the internet and runs them, you're basically opening the door to malware, which defeats the purpose of app control. The second option is to let those requesting this software know that it’s incompatible with your security policies and to look for another solution. You should also reach out to the software vendor and express concerns about their installer.
I see where you're coming from, and I agree. But in my case, the issue arises from a printer driver. I'm trying not to change the system environment drastically. The .tmp files in question are pretty static—they don't change between uses, but they are located in a user-writable directory. My aim is to find a compliant way to whitelist those known files without compromising security. Currently, switching printer drivers is on the table, but that could be a hassle. I'm exploring all options before making a final call.