Attack Surface Analyzer Tool fails to generate Attack Surface Report

Question

Hi All,

Our product is failing the Windows Logo Certification under the Attack Surface Analyzer(ASA) test case.

Hence, we ran the Attack Surface Analyzer tool against our product. We obtained the ASA's msi from http://www.microsoft.com/en-in/download/details.aspx?id=24487.

We used a Windows 7 OS and also installed the .NET framework 4.0.

We followed the steps under "Collecting attack surface information with .NET Framework 4 installed".

1) Downloaded and installed ASA on a fresh Windows7 OS machine with the .NET framework 4.0 installed in it.

2) Ran ASA from the Start menu and chose to run the baseline scan. BaseLine CAB was generated successfully.

3) Installed our product and ran the application.

4) Ran ASA from the Start menu and chose to run the productLine scan. ProductLine CAB was also generated successfully.

5) Ran ASA from Start menu and chose to generate the Attack Surface Report.

6) Next, we get an alert saying that the tool is running the analysis and loading the product CAB.

7) The tool then fails to load the product CAB and shows the following error:

NOTE: We didn't change the name prompted by the tool for the above CAB reports the first time. Due to failure, we also tried to rename the CAB file names to simpler ones. But alas, we get the same error.

Are we missing something here? What could be the solution to this issue?

Thanks,

Supreet Bhaskar

Answer 1

Hi Supreet,

For logo certification testing please use the Windows App Certification Kit (ACK) available at http://msdn.microsoft.com/en-US/windows/desktop/aa904949. The ASA test cases included in logo certification are included in that kit.

Answer 2

Hi,

Thanks for you response.

We have already obtained the Logo certification using the Windows App Certification Kit. After running the kit, we found that our application failed for the Attack Surface Analyzer Test Case.

The report included the following link :  http://msdn.microsoft.com/library/windows/apps/hh750314.aspx#asa

to be used if we needed to fix the issues which are causing the ASA test case to fail.

The Attack Surface Analyzer tool seemed to suggest help regarding fixing these issues and hence we tried it.

Could you please elaborate how to go about fixing the issues once we know the ASA test case is failing? 

Thanks and Regards,

Supreet

Answer 3

Hi Supreet,

The Windows App Certification Kit includes a subset of the checks included in the standalone ASA tool, so lets start by focusing on that. Direct links to guidance to address ASA test cases included in the windows app certification kit failing are included below.

• Secure executable files that have weak ACLs
• Secure directories that contain objects and have weak ACLs
• Secure registry keys with weak ACLs
• Services that allow access to non-administrator accounts and are vulnerable to tampering
• Services that have fast restarts or might restart more than twice every 24 hours

Please clarify if you are seeing the illegal characters in path exception when you run the Windows App Certification Kit or if you are seeing a different issue that is not covered by the links above.