Knowledgebase
Video Furnace and Windows software restriction policies
Posted by on 17 May 2012 02:41 PM

Some high security environments employ Windows software restriction policies to limit which applications can be launched on a user's PC. If the policy is configured such that access to all but specified applications is denied, the Video Furnace player will not be allowed to launch.

A rule will need to be added to allow the player to launch.

On a Windows software restriction policy, there are two methods for allowing access to a piece of software - you are free to use either as the software package itself has no involvement in the way the restriction policy is implemented:

  1. A path rule can be used to allow software to run with a particular name or in a particular path. The disadvantage to this, as you have noted, is that any software with that name or on that path can be run if it matches the rule (and this of course applies to any software for which a path rule is deployed).
  2. A hash rule can be created, where the executable is added to group policy, which then creates a unique hash from the executable file. This will then allow any software matching the hash, regardless of file or path name, to run. For most software applications this is the preferred method, and you can certainly do this for Video Furnace - you'll just need to grab the executable whilst the software is running and create a hash rule using that executable. The disadvantage to this method is that the hash rule must be recreated for each new version of the software if the executable file has changed.

 

Each time a Video Furnace InStream player is launched, two files are executed - .vftv0000000 (where 0000000 is a random number) is the Java based player launcher, this needs to be able to launch from the user's profile area, or wherever Java is set to place temporary files.

You can use a path rule to allow this, for example:

  • Path: %userprofile%\*
  • Description: Video Furnace IPTV Launcher
  • Rule: Allow files in this path to be run

This launcher places files in the user's ‘AppData’ temporary area, which they should normally already have write access to already as this is used by many programs.

They will then need a second path rule to launch a program from this area, for example:

  • Path: %userprofile%\AppData\Local\Temp\*
  • Description: Video Furnace IPTV Client
  • Rule: Allow files in this path to be run

 

Or, if preferred for security reasons, a file hash rule based on the InStream.exe file. This file only exists whilst the player is running, so you will need to grab the InStream.exe whilst running the player (it will be at C:\Users\yourusername\AppData\Local\Temp\InStream00000150\InStream.app\Instream.exe).

Note that using a file rule will not be upgrade-proof, as the file will change following a system upgrade.

You could also use %userprofile%\AppData\Local\Temp\InStream00000150\InStream.app\* to make the path rule tighter, but then you will need a separate path rule for each of the back-end tools, as they launch from different locations e.g. %userprofile%\AppData\Local\Temp\VFAEditor00000150\VFAEditor.app


Comments (0)
Techex Support Services - Support Case Manager