tepeduis
New Creator

AppLocker policy prevents access

Hi crownpeak community,

our company will activate the AppLocker Policy from February 1st, 2022. After a short scan, we found that our FirstSpirit application is also affected.

I already have the following ideas. We can add the signed DLL's to the Applocker Policy so that FirstSpirit can run without restrictions. The main problem is that not all DLLs contain a signature, so is it foreseeable when the remaining DLLs will be provided with a signature?

Applocker_issue.jpg

Can you give me another tips on how to prevent this problem? I need quick support to fix this issue.

Thanks!

Labels (1)
Tags (1)
0 Kudos
3 Replies
hoebbel
e-Spirit employee

Re: AppLocker policy prevents access

Dear tepeduis,

if an AppLocker Policy rule can be configured to allow applications within a special folder to be executed, maybe the following information is helpfull.

referring to the .FirstSpirit* directory within user home:
you can configure FirstSpirit, so that another directory is used for the downloaded files (parameter CLIENT_HOME_DIR or CLIENT_HOME_DIR_WINDOWS). More information is found here:
https://docs.e-spirit.com/odfs/edocs/admi/firstspirit-ser/roll-out-proces/roll-out-proces/index.html
Attention: by default FirstSpirit uses the folder \Users\<USERNAME>\.firstspirit_<FirstSpirit version>\ - so with each FirstSpirit update the foldername changes!

referring to the FSLAUNCHER directory within the APPDATA directory:
you can install the FirstSpirit launcher into another directory and configure it where to store the downloaded files (parameter -DlauncherDir within the FSLauncher.vmoptions file). Information about this can be found here:
https://docs.e-spirit.com/odfs/edocs/admi/firstspirit-sta/areas-the-start/firstspirit-lau/index.html

If this possible solution should not be sufficient, please create a ticket for your technical support: https://help.e-spirit.com

best regards
Holger

0 Kudos
tepeduis
New Creator

Re: AppLocker policy prevents access

Hi Holger,

thank you for your quick support! We are only allowed to install our applications in C:\Program Files, but unfortunately we don't have write permissions, so I think we need the signatures of the DLLs. (see error message below)

Are there other ways we can work around the problem?

 

Download fehlgeschlagen.

Stacktrace:
java.lang.IllegalStateException: Download fehlgeschlagen.
at de.espirit.firstspirit.launcher.resource.ResourceDownload.lambda$update$0(ResourceDownload.java:99)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.nio.file.AccessDeniedException: C:\Program Files\FSLauncher\jre\11.0.11
at java.base/sun.nio.fs.WindowsException.translateToIOException(WindowsException.java:89)
at java.base/sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:103)
at java.base/sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:108)
at java.base/sun.nio.fs.WindowsFileSystemProvider.createDirectory(WindowsFileSystemProvider.java:509)
at java.base/java.nio.file.Files.createDirectory(Files.java:690)
at java.base/java.nio.file.Files.createAndCheckIsDirectory(Files.java:797)
at java.base/java.nio.file.Files.createDirectories(Files.java:783)
at de.espirit.firstspirit.launcher.resource.ResourceDownload.update(ResourceDownload.java:167)
at de.espirit.firstspirit.launcher.resource.ResourceDownload.execute(ResourceDownload.java:125)
at de.espirit.firstspirit.launcher.resource.ResourceDownload.lambda$update$0(ResourceDownload.java:96)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)

0 Kudos
hoebbel
e-Spirit employee

Re: AppLocker policy prevents access

Dear tepeduis,

the files mentioned within the first post are from two sources - the JX Browser (Browser used for the preview within the SiteArchitect) and the JRE Version used by the FirstSpirit Launcher.

The exception within the last post results from problems storing the Java Version downloaded from the FirstSpirit Server, which should be used for the start of the FirstSpirit Clients.

This last problem can be solved, if a local jre is used (parameters -DuseLocalJre=true and -DlocalJre=... in the FSLauncher.vmoptions file). More information can be found here within the documentation:
https://docs.e-spirit.com/odfs/edocs/admi/firstspirit-sta/areas-the-start/firstspirit-lau/index.html

If the inline preview within the SiteArchtect isn't used, then the JX Browser isn't needed. I'm sorry, but I don't have a better solution. If this solution isn't satisfying, create a tech support ticket, please.

Best regards
Holger

0 Kudos