Problem
Whitelisting Non-MSI Installation Packages can introduces several potential issues when attempting to install and later run executable files. The Package Contents Whitelist Policy type will only scan files for MSI packages. Non-MSI packages will only be scanned for the installation application itself.
The first issue happens when trying to execute an .exe installer is when that installer launches other intermediate installation applications. If an exception blacklist policy is present, the intermediary applications that get launched by an installer will be caught by the blacklist, thus preventing the installation.
The second issue occurs after an application has been installed. Applications that have been installed by an .exe rather than .msi will not automatically be whitelisted by the Package Contents Whitelist Policy, which means those applications will be prevented from running with the blacklist.
Solution
The following steps can be taken to ensure child processes and installed files of whitelisted installers are whitelisted:
- On the Whitelist policy, click the Application Actions tab and change the Child applications to Same as parent
- Also under the Whitelist policy, click on the Policy Enforcement tab and uncheck Continue enforcing policies for child processes after enforcing this policy
- Next open the Blacklist policy, then open the Policy Enforcement tab and check the Stage 2 processing option. For more information on Stage 2 processing, refer to the article .
- Finally, the installed application files needs to be added to a whitelist policy. This can be done by installing the application on a reference system or creating a whitelist policy for the installed application files using an alternate method such as executable filters.
Alternative
Alternatively, .exe installers can be repackaged into .msi files, which will allow the Package Contents Whitelist Policy to add the applications in the package to a whitelist.