profile
viewpoint

jsuther1974/AaronLocker-WDAC 1

Robust and practical application whitelisting for Windows

PullRequestReviewEvent

Pull request review commentMicrosoftDocs/windows-itpro-docs

Published recommended driver block rules from HVCI/10S blocklist

+---+title: Microsoft recommended driver block rules (Windows 10)+description: View a list of recommended block rules to block vulnerable third party drivers discovered by Mirosoft and the security research community.  +keywords:  security, malware, kernel mode, driver+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb+ms.prod: w10+ms.mktglfcycl: deploy+ms.sitesec: library+ms.pagetype: security+ms.localizationpriority: medium+audience: ITPro+ms.collection: M365-security-compliance+author: jogeurte+ms.reviewer: isbrahm+ms.author: dansimp+manager: dansimp+ms.date: 10/15/2020+---++# Microsoft recommended driver block rules++**Applies to:**++- Windows 10+- Windows Server 2016 and above++Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Mirosoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: 

You have a typo. “Mirosoft”

jgeurten

comment created time in a day

PullRequestReviewEvent

Pull request review commentMicrosoftDocs/windows-itpro-docs

Published recommended driver block rules from HVCI/10S blocklist

+---+title: Microsoft recommended driver block rules (Windows 10)+description: View a list of recommended block rules to block vulnerable third party drivers discovered by Mirosoft and the security research community.  +keywords:  security, malware, kernel mode, driver+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb+ms.prod: w10+ms.mktglfcycl: deploy+ms.sitesec: library+ms.pagetype: security+ms.localizationpriority: medium+audience: ITPro+ms.collection: M365-security-compliance+author: jogeurte+ms.reviewer: isbrahm+ms.author: dansimp+manager: dansimp+ms.date: 10/15/2020+---++# Microsoft recommended driver block rules++**Applies to:**++- Windows 10+- Windows Server 2016 and above++Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Mirosoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: ++- Hypervisor-protected code integrity (HVCI) enabled devices +- Windows 10S mode devices++Microsoft recommends enabling [HVCI](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or Windows 10S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.+++> [!Note]+> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. +++```xml+<?xml version="1.0" encoding="utf-8"?>+<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">+  <VersionEx>10.0.19565.0</VersionEx>+  <PolicyTypeID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyTypeID>+  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>+  <Rules>

Are these really the only rule options we should include by default?

jgeurten

comment created time in a day

Pull request review commentMicrosoftDocs/windows-itpro-docs

Published recommended driver block rules from HVCI/10S blocklist

+---+title: Microsoft recommended driver block rules (Windows 10)+description: View a list of recommended block rules to block vulnerable third party drivers discovered by Mirosoft and the security research community.  +keywords:  security, malware, kernel mode, driver+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb+ms.prod: w10+ms.mktglfcycl: deploy+ms.sitesec: library+ms.pagetype: security+ms.localizationpriority: medium+audience: ITPro+ms.collection: M365-security-compliance+author: jogeurte+ms.reviewer: isbrahm+ms.author: dansimp+manager: dansimp+ms.date: 10/15/2020+---++# Microsoft recommended driver block rules++**Applies to:**++- Windows 10+- Windows Server 2016 and above++Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Mirosoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: ++- Hypervisor-protected code integrity (HVCI) enabled devices +- Windows 10S mode devices

The correct term is "Windows 10 in S mode (S mode)", not Windows 10S mode devices. Referening "(S mode)" on first use allows you to simply refer to S mode through the rest of the doc.

jgeurten

comment created time in a day

PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent

issue closedmicrosoft/AaronLocker

Unable to add exceptions using GetExeFilesToDenyList.ps1

I'm trying to prevent regular users from launching msiexec.exe but when I edit "C:\AaronLocker\CustomizationInputs\GetExeFilesToDenyList.ps1 " as shown below

# Files used by ransomware "$env:windir\System32\cipher.exe" "$env:windir\System32\msiexec.exe"

And then re-ran PS C:\AaronLocker> .\Create-Policies.ps1

The resulting .xml rules don't include the new exception.

[----- Publisher exceptions -----]

CIPHER.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS® OPERATING SYSTEM

INSTALLUTIL.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK

MICROSOFT.WORKFLOW.COMPILER.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US;MICROSOFT® .NET FRAMEWORK`

MSBUILD.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK

MSHTA.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; INTERNET EXPLORER

PRESENTATIONHOST.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS®OPERATING SYSTEM`

REGASM.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK

REGSVCS.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK

RUNAS.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS® OPERATINGSYSTEM`

WMIC.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS® OPERATINGSYSTEM`

Please, advice.

closed time in 3 months

ab366s
more