I'm in the process of securing a Windows environment using AppLocker, but I've hit a snag with the path-based rules. My initial plan was to use a firewall learning mode to lock things down, but the issue is that many applications—especially browsers and emulators—operate from dynamic paths like AppData or temp folders. Once I enforce certain rules, those paths can shift and break everything.
So, I'm pivoting to using publisher-based rules instead because they're much more stable against updates and path changes.
What I want to establish is a blacklist (deny rules) in AppLocker targeting specific publishers for common web browsers, Android emulators (like BlueStacks and Nox), and virtual machine software (like VirtualBox and VMware). The goal is to broadly block these categories by publisher while still letting users download software as needed. I can't just block all downloads because I need users to have that capability.
However, I'm having trouble finding a reliable or comprehensive list of publishers for key applications, including major browsers (Chrome, Firefox, Edge, Opera, Brave, etc.), Android emulators, and virtualization software. Since AppLocker relies on the digital signature, I'd like to cover as many bases as possible.
I'm looking for either a list or partial list of known publishers for these categories, or even better, any strategies others have used to handle this without manually tracking down each app. Keep in mind that I know AppLocker is great for allow-listing, but in this situation, a more flexible setup is necessary since path rules are inconsistent and hash rules can easily break with updates.
3 Answers
If you're looking for ways to approach this without a strict blacklist, you could explore configurations that allow specific publishers but still permit user installations. That way, you maintain control while giving users the flexibility to install what they need.
You might want to consider pre-installing browsers directly at the system level instead of allowing them to install in user directories. This way, you could manage updates more effectively. That said, if you need users to download other software, blocking execution from those user directories could be too restrictive. So using publisher-based rules could be the way to go, even if it's not a perfect solution.
I dived into blocking Opera with AppLocker and ran into a similar issue: the downloaded .exe wasn't signed, meaning no publisher info was available. So even if you block the publisher, users can still install the unsigned versions. Just a heads-up to look out for that!
That makes sense for a managed setup! I totally get the balance you're trying to strike; blocking every restricted path would definitely limit user freedom. Publisher rules sound like a good compromise.