AppLocker (Microsoft tool) vs Dokan

[LucasLuke1897]

I did some (re)search on the topic on the Internet but could not find any useful information so I decided to ask a question here.

Has Dokan(y) been tested against AppLocker (in terms of mounted and hidden paths)?

If not could you check it?

We use a third party software that mounts and hides folder(s) using Dokan library (probably in 1.3.0 version) in our organisation.

We noticed that if a directory is mounted by this software and try to run an executable inside of this location AppLocker is not able to recognize the path and blocks running any executables from there.

Example. Executable.exe will be denied from running (Event ID: 8004 in EventLog under Application and Services Logs\Microsoft\Windows\AppLocker\EXE and DLL section) despite the path rule does not reflect the mounted and hidden path at all.

C:\Users%username%\AppData\Local\FolderName\$mounted_and_hidden_dir$\Executable.exe

We believe that AppLocker cannot access the $mounted_and_hidden_dir$ and that is why it blocks running executables from there.

[Liryna]

Hi @LucasLuke1897 ,

it is hard to tell without knowing the software and how they use Dokany.
Since you have the environment to reproduce, could you try to download the latest version https://github.com/dokan-dev/dokany/releases/tag/v2.3.0.1000 and do the test with mirror or memfs sample ?