Internal Inno Setup installer does not have product name of main installer which conflicts with AppLocker rule

2
votes

I'm creating a signed installer for a C# software that will be running in a system that is protected with Windows AppLocker. The AppLocker rule just allows software with the product name "MyAppName" in its Fqbn (Fully qualified binary name) to install itself. I bought a certificate and signed the app's exe and the installer with Inno Setup' signtool ability which worked well. The installer and the exe contain the right product name in their Fqbn.

But!

On installing, the setup creates a temporary copy of itself that does not contain the product name in its Fqbn field. The original installer does, though. The publisher name stays the same in the said field ("O=My Company, L=My Town, S=My State, C=DE").

Any ideas on how to solve this? How to get the product name in the installer's temporary copy?

Update

Here are the event logs generated by AppLocker on the customer's PC.

This is the log for the temporary copy of the installer (denied). The product name is missing in the Fqbn (there are just three backslashes): This is the log for the temporary copy of the installer (denied)

This is the log for the software's binary (allowed). The product name is there as well as the name of the binary: This is the log for the software's binary (allowed)

1
windowsinstallationinno-setupapplocker
@MartinPrikryl I'm not sure where the value is taken from. It could be the Inno Setup variable AppName which I fill in my Inno Setup script. Could also be deriving from the software's assembly.dall
@MartinPrikryl It's a value used by Microsoft AppLocker. The customer sent me a screenshot of his event log. I attached it to my original question. More info here: docs.microsoft.com/en-us/windows/security/threat-protection/…dall

1 Answers

1
votes

Upgrade to Inno Setup 6.0.4, it updates the product name of the internal installer binary:

Windows AppLocker publisher conditions are now supported by Setup up to and including the file name level.

A previous answer for older versions of Inno Setup, including explanation of the problem:

I do not think there is any Fqbn field in an EXE. Fqbn is probably just a string that the AppLocker constructs from other real fields, including the ProductName field. I also do not think the problem has anything to do with code signing.

Further, the program that the AppLocker blocks is not "temporary copy of itself (=installer)". It is a completely different program, a copy of Setup.e32 from Inno Setup installation folder. It does not have any ProductName. And Inno Setup does not allow to customize that program on its own in any way. Though you should be able to edit the file yourself as you need using an appropriate tool, like a Resource Hacker. See also Inno Setup change Task Manager Description for Setup.tmp.

If you do not want to mess with Inno Setup installation, you can modify the EXE by "abusing" the signing process. For an example, see how editbin is used as part of the signing in Microsoft SmartScreen - suspended using Inno Setup installer?