Subscribe via RSS
Toggle Submenu
  1. Categories
  2. Recent
  3. Tags
View Replies (3)

Resolved Certificate based whitelisting for CloudAppLauncher_Installer.exe

  1. Issue
0
Votes
Undo
  1. Daryl Foster
    Daryl Foster
  2. PowerBuilder
  3. Tuesday, 7 September 2021 06:21 AM UTC

Hi, we've been playing around with Powerclient again this week and it is looking promising, but we still have a couple of small issues with CloudAppLauncher_Installer.  We may still use the msi for central deployment, but I kind of like the idea of the user being in control of the whole installation process.  The users PCs are pretty locked down and we use application whitelisting to allow various applications to run.  We whitelisted the Appeon certificate to allow users to run CloudAppLauncher_Installer.exe downloaded from the server, but some of the files that CloudAppLauncher_Installer.exe extracts and runs aren't signed so it doesn't work.

When CloudAppLauncher_Installer.exe runs it seems to extract a few other files (e.g. LauncherSetup_withoutservice.exe [8MB]) which are signed, but then it also extracts and tries to run another LauncherSetup_withoutservice.exe in a random directory (\{6D0DC491-5F48-466F-B13E-77D11B201945}\LauncherSetup_withoutservice.exe [1MB]) which isn't signed, so that fails.  It also seems to extract and run a batch file (check_port.bat), so that fails as well.  I just wanted to check whether those files should be signed, or whether there is some reason that they aren't?

Interestingly the user can download the msi file from the server and install that just based on the Appeon certificate whitelist. If we don't deploy centrally, is there any issue with changing the link for CloudAppLauncher_Installer.exe to CloudAppLauncher_Installer.msi in autodownload.html and manualdownload.html?

insert barcode to many scanned files auto (~500k f...
Regarding Custom Color
Responses (3)
Daryl Foster
Daryl Foster Accepted Answer Pending Moderation
  1. Wednesday, 8 September 2021 08:59 AM UTC
  2. PowerBuilder
  3. # 1

Thanks ZhaoKai,

I've attached the properties of the two different LauncherSetup_withoutservice.exe files.  The one in the random temp directory isn't signed at all.  There are also some other executable files which are extracted (dotnetinstaller.exe and ISBEW64.exe), but they are both signed by Flexera so they are ok.

 


The installer isn't blocked by anti-virus. Our machines are locked down using application whitelisting implemented as software restriction policies via Group Policy. Essentially nothing can be executed unless we allow it in group policy. It can be allowed based on path, file hash or certificate.  Because they are executing from the temp directory our System Administrator isn't happy allowing them based on the path.  But also, I think the actual directory used is different each time.  It's easy to allow files to execute, but the Cloud App Launcher executes multiple files from different locations, so it's a bit trickier to handle with software restriction policies.

I think we can install the .msi via our central software deployment, but I don't think it's possible to do a silent install (without user interface) because the .msi file always displays the animated gif.  The System Administrator would rather do a silent install because it doesn't give the user a chance to cancel or interrupt the install.

Comment
Load more comments
Daryl Foster
  1. Daryl Foster
  2. Monday, 13 September 2021 03:58 AM UTC
Thanks ZhaoKai, that Cloud App Launcher seems to work fine. Those extra two files seem to be signed now. We allow executables signed with Appeon's certificate and we also need to add a file hash rule for the check_port.bat batch file to execute so now regular users can run the exe installer.
  1. Helpful
Kai Zhao @Appeon
  1. Kai Zhao @Appeon
  2. Monday, 13 September 2021 04:51 AM UTC
Glad to hear that. We will fix the signature issue in next version.
  1. Helpful
Daryl Foster
  1. Daryl Foster
  2. Monday, 13 September 2021 05:01 AM UTC
Thanks. I appreciate your help with this.
  1. Helpful
There are no comments made yet.
Kai Zhao @Appeon
Kai Zhao @Appeon Accepted Answer Pending Moderation
  1. Wednesday, 8 September 2021 08:27 AM UTC
  2. PowerBuilder
  3. # 2

Hi Daryl,

For the exe in a random directory issue:
It is InstallShield that releases the temp file. It seems required to be signed with InstallShield certificate, we need more time to figure it out.
BTW, what’s the security software you are using. We tested with a list of mainstream antivirus software and they didn’t block the temp file.

For the bat file issue:
Not like exe, the bat file can not be signed, we will consider removing the bat file in the future.
And the antivirus software we tested with didn’t report any exception with the bat file. Please guide us to reproduce the issue.

For the MSI issue:
I suggest you find another way to push the MSI to the client end and don’t change the link in autodownload.html and manualdownload.html.

Regards,
ZhaoKai

Comment
Daryl Foster
  1. Daryl Foster
  2. Wednesday, 8 September 2021 08:59 AM UTC
Thanks, see my reply above
  1. Helpful
There are no comments made yet.
Marco Meoni
Marco Meoni Accepted Answer Pending Moderation
  1. Tuesday, 7 September 2021 07:35 AM UTC
  2. PowerBuilder
  3. # 3

Hi Daryl,

very useful feedback.

We are also testing best way to run CloudAppLauncher_Installer.exe in a pretty locked CITRIX env.

Whitelisting the Launcher EXE seems unavoidable (in addition to the actual application EXE). We actually needs to deploy the Launcher with Default_Both_WithServiceMulti profile since first installation on CITRIX server must be up to administrator. In this case, the Launcher extracts 2 EXEs to temp folder with different numbers, for example 

%USER%\APPDATA\LOCAL\TEMP\43\{8984CEF2-3E65-4EAC-BE4F-A3C05BBF6285}\LAUNCHERSETUP_WITHOUTSERVICE.EXE

%USER%\APPDATA\LOCAL\TEMP\43\{97BA3DEE-A23F-49CC-B2A5-F538F0D0324B}\LAUNCHERSETUP_WITHSERVICE.EXE

which we added to the exception list.

Trusting the EXEs upon certificate would be more flexible, looking forward to hearing what Appeon answer regarding missing signed files from the extracted bundle.

Best,

.m

Comment
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.
We use cookies which are necessary for the proper functioning of our websites. We also use cookies to analyze our traffic, improve your experience and provide social media features. If you continue to use this site, you consent to our use of cookies.