Whitelisting non-MSI installation packages

Owned by Anonymous
Last updated: Oct 16, 2015 by Max Pinion (Deactivated)

Issue

Whitelisting non-MSI installation packages can introduce several potential issues when you attempt to install and later run executable files. The Package Contents Whitelist Policy type will scan files for only MSI packages. Non-MSI packages will be scanned for only the installation application itself.

The first issue happens when you try to execute an .exe installer; if an exception blacklist policy is present, then the intermediary applications that get launched by an installer will be caught by the blacklist, thus preventing the installation.

The second issue occurs after an application has been installed. Applications that have been installed by an .exe rather than .msi will not automatically be whitelisted by the Package Contents Whitelist Policy, which means those applications will be prevented from running with the blacklist.

Solution

Ensure child processes and installed files of whitelisted installers are whitelisted by doing one of the following solutions.

Solution 1

  1. In the Whitelist policy, click the Application Actions tab and under Child applications select the Same as parent option.



  2. Click the Policy Enforcement tab and click to clear the Continue enforcing policies for child processes after enforcing this policy check box.



  3. Next open the Blacklist policy and click the Policy Enforcement tab.
  4. Select the Stage 2 processing check box. 



  5. Add the installed application files to a whitelist policy. Do this by installing the application on a reference system, or creating a whitelist policy for the installed application files using an alternate method such as executable filters.

Solution 2

Repackage .exe installers into .msi files, which will allow the Package Contents Whitelist Policy to add the applications in the package to a whitelist.