deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 20:03:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

Browse Source
This commit is contained in:
dstrome
2020-08-28 18:32:28 +00:00
parent 00621cc53e d22ea3913a
commit 670ac1a4e2
11 changed files with 205 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/microsoft-defender-atp/android-intune.md
View File

@ -118,7 +118,7 @@ Defender ATP app into your managed Google Play.
1. In [Microsoft Endpoint Manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
**Android Apps** \> **Add** and select **managed Google Play app**.
**Android Apps** \> **Add** and select **Managed Google Play app**.
> [!div class="mx-imgBorder"]
> ![Image of Microsoft Endpoint Manager admin center](images/579ff59f31f599414cedf63051628b2e.png)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 54 KiB

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 83 KiB

After

Width:  |  Height:  |  Size: 65 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 61 KiB

After

Width:  |  Height:  |  Size: 35 KiB

40
windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
View File

@ -19,13 +19,17 @@ ms.topic: conceptual
# Schedule scans with Microsoft Defender ATP for Mac
While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. Create a scanning schedule using launchd on a macOS computer.
While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week.
## Schedule a scan with launchd
## Schedule a scan with *launchd*
1. Create a new .xml file. Use the following example to create your scanning schedule file.
You can create a scanning schedule using the *launchd* daemon on a macOS device.
```xml
1. The following code shows the schema you need to use to schedule a scan. Open a text editor and use this example as a guide for your own scheduled scan file.
For more information on the *.plist* file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website.
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@ -60,22 +64,30 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
</plist>
```
2. Save the file as a program configuration file (.plist) with the name com.microsoft.wdav.schedquickscan.plist.
2. Save the file as *com.microsoft.wdav.schedquickscan.plist*.
>[!NOTE]
>To change a quick scan to a full scan, use /usr/local/bin/mdatp --scan full in the array string and update your .plist filename.
> [!TIP]
> To run a full scan instead of a quick scan, change line 12, `<string>/usr/local/bin/mdatp --scan --quick</string>`, to use the `--full` option instead of `--quick` (i.e. `<string>/usr/local/bin/mdatp --scan --full</string>`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*.
3. Search for, and then open **Terminal**.
4. To load your file into **launchd**, enter the following commands:
3. Open **Terminal**.
4. Enter the following commands to load your file:
```bash
launchctl load /Library/LaunchDaemons/<your file name.plist>
```
```bash
launchctl start <your file name>
```
5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every seven days on a Friday, with the StartInterval using 604,800 seconds for one week.
5. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the example, the scan runs at 2:00 AM every Friday.
> [!NOTE]
> Agents executed with launchd will not run at the scheduled time if the computer is asleep, but will run once the computer is awake. If the computer is off, the scan will not run until the computer is on at the next scheduled time.
Note that the `StartInterval` value is in seconds, indicating that scans should run every 604,800 seconds (one week), while the `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday.
> [!IMPORTANT]
> Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode.
>
> If the device is turned off, the scan will run at the next scheduled scan time.
## Schedule a scan with Intune
You can also schedule scans with Microsoft Intune. The [runMDATPQuickScan.sh](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP#runmdatpquickscansh) shell script available at [Scripts for Microsoft Defender Advanced Threat Protection](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP) will persist when the device resumes from sleep mode.
See [Use shell scripts on macOS devices in Intune](https://docs.microsoft.com/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise.

3
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -41,7 +41,8 @@
## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md)
### [Understanding Application Control events](event-id-explanations.md)
### [Understanding Application Control event IDs](event-id-explanations.md)
### [Understanding Application Control event tags](event-tag-explanations.md)
### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
## [AppLocker](applocker\applocker-overview.md)

9
windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
View File

@ -1,6 +1,6 @@
---
title: Understanding Application Control events (Windows 10)
description: Learn what different Windows Defender Application Control events signify.
title: Understanding Application Control event IDs (Windows 10)
description: Learn what different Windows Defender Application Control event IDs signify.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
@ -21,8 +21,9 @@ ms.date: 3/17/2020
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
1. Event IDs beginning with 30 appear in Applications and Services logs Microsoft Windows CodeIntegrity Operational
2. Event IDs beginning with 80 appear in Applications and Services logs Microsoft Windows AppLocker MSI and Script
- Event IDs beginning with 30 appear in Applications and Services logs Microsoft Windows CodeIntegrity Operational
- Event IDs beginning with 80 appear in Applications and Services logs Microsoft Windows AppLocker MSI and Script
## Microsoft Windows CodeIntegrity Operational log event IDs

83
windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Understanding Application Control event tags (Windows 10)
description: Learn what different Windows Defender Application Control event tags signify.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 8/27/2020
---
# Understanding Application Control event tags
Windows Defender Application Control (WDAC) events include a number of fields which provide helpful troubleshooting information to figure out exactly what an event means. Below, we have documented the values and meanings for a few useful event tags.
## SignatureType
Represents the type of signature which verified the image.
| SignatureType Value | Explanation |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | Unsigned or verification has not been attempted |
| 1 | Embedded signature |
| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly |
| 5 | Successfully verified using an EA that informs CI which catalog to try first |
|6 | AppX / MSIX package catalog verified |
| 7 | File was verified |
## ValidatedSigningLevel
Represents the signature level at which the code was verified.
| ValidatedSigningLevel Value | Explanation |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | Signing level has not yet been checked |
| 1 | File is unsigned |
| 2 | Trusted by WDAC policy |
| 3 | Developer signed code |
| 4 | Authenticode signed |
| 5 | Microsoft Store signed app PPL (Protected Process Light) |
| 6 | Microsoft Store-signed |
| 7 | Signed by an Antimalware vendor whose product is using AMPPL |
| 8 | Microsoft signed |
| 11 | Only used for signing of the .NET NGEN compiler |
| 12 | Windows signed |
| 14 | Windows Trusted Computing Base signed |
## VerificationError
Represents why verification failed, or if it succeeded.
| VerificationError Value | Explanation |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | Successfully verified signature |
| 2 | File contains shared writable sections |
| 4 | Revoked signature |
| 5 | Expired signature |
| 7 | Invalid root certificate |
| 8 | Signature was unable to be validated; generic error |
| 9 | Signing time not trusted |
| 12 | Not valid for a PPL (Protected Process Light) |
| 13 | Not valid for a PP (Protected Process) |
| 15 | Failed WHQL check |
| 16 | Default policy signing level not met |
| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
| 18 | Custom signing level not met; returned if signature fails to match CISigners in UMCI |
| 19 | Binary is revoked by file hash |
| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy |
| 21 | Failed to pass WDAC policy |
| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
| 23 | Invalid image hash |
| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
| 26 | Explicitly denied by WADC policy |
| 28 | Resource page hash mismatch |

141
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -24,38 +24,55 @@ ms.date: 04/09/2019
- Windows 10
- Windows Server 2016 and above
Members of the security community<sup>\*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including Windows Defender Application Control:
- addinprocess.exe
- addinprocess32.exe
- addinutil.exe
- aspnet_compiler.exe
- bash.exe
- bginfo.exe<sup>[1]</sup>
- bginfo.exe<sup>1</sup>
- cdb.exe
- csi.exe
- dbghost.exe
- dbgsvc.exe
- dnx.exe
- dotnet.exe
- fsi.exe
- fsiAnyCpu.exe
- infdefaultinstall.exe
- kd.exe
- ntkd.exe
- kill.exe
- lxssmanager.dll
- msbuild.exe<sup>[2]</sup>
- lxrun.exe
- Microsoft.Build.dll
- Microsoft.Build.Framework.dll
- Microsoft.Workflow.Compiler.exe
- msbuild.exe<sup>2</sup>
- msbuild.dll
- mshta.exe
- ntkd.exe
- ntsd.exe
- powershellcustomhost.exe
- rcsi.exe
- runscripthelper.exe
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
- wfc.exe
- windbg.exe
- wmic.exe
- wsl.exe
- wslconfig.exe
- wslhost.exe
<sup>[1]</sup>A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
<sup>1</sup> A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
<sup>[2]</sup>If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
<sup>2</sup> If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
<sup>*</sup>Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
<sup>*</sup> Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
<br />
@ -121,44 +138,45 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<!-- File Rules
-->
<FileRules>
<Deny ID="ID_DENY_ADDINPROCESS" FriendlyName="AddInProcess.exe" FileName="AddInProcess.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_ADDINPROCESS32" FriendlyName="AddInProcess32.exe" FileName="AddInProcess32.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_ADDINUTIL" FriendlyName="AddInUtil.exe" FileName="AddInUtil.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_ASPNET" FriendlyName="aspnet_compiler.exe" FileName="aspnet_compiler.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_BASH" FriendlyName="bash.exe" FileName="bash.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_BGINFO" FriendlyName="bginfo.exe" FileName="BGINFO.Exe" MinimumFileVersion="4.21.0.0"/>
<Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_DBGHOST" FriendlyName="dbghost.exe" FileName="DBGHOST.Exe" MinimumFileVersion="2.3.0.0"/>
<Deny ID="ID_DENY_DBGSVC" FriendlyName="dbgsvc.exe" FileName="DBGSVC.Exe" MinimumFileVersion="2.3.0.0"/>
<Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_FSI_ANYCPU" FriendlyName="fsiAnyCpu.exe" FileName="fsiAnyCpu.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_KD_KMCI" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_NTKD" FriendlyName="ntkd.exe" FileName="ntkd.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD" FriendlyName="MSBuild.exe" FileName="MSBuild.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_DBGHOST" FriendlyName="dbghost.exe" FileName="DBGHOST.Exe" MinimumFileVersion="2.3.0.0"/>
<Deny ID="ID_DENY_DBGSVC" FriendlyName="dbgsvc.exe" FileName="DBGSVC.Exe" MinimumFileVersion="2.3.0.0"/>
<Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_RCSI" FriendlyName="rcsi.exe" FileName="rcsi.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_NTSD" FriendlyName="ntsd.exe" FileName="ntsd.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_BASH" FriendlyName="bash.exe" FileName="bash.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_FSI_ANYCPU" FriendlyName="fsiAnyCpu.exe" FileName="fsiAnyCpu.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_MSBUILD_DLL" FriendlyName="MSBuild.dll" FileName="MSBuild.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSHTA" FriendlyName="mshta.exe" FileName="mshta.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_VISUALUIAVERIFY" FriendlyName="visualuiaverifynative.exe" FileName="visualuiaverifynative.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_NTKD" FriendlyName="ntkd.exe" FileName="ntkd.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_NTSD" FriendlyName="ntsd.exe" FileName="ntsd.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_RCSI" FriendlyName="rcsi.exe" FileName="rcsi.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_RUNSCRIPTHELPER" FriendlyName="runscripthelper.exe" FileName="runscripthelper.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_ADDINPROCESS" FriendlyName="AddInProcess.exe" FileName="AddInProcess.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_ADDINPROCESS32" FriendlyName="AddInProcess32.exe" FileName="AddInProcess32.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_ADDINUTIL" FriendlyName="AddInUtil.exe" FileName="AddInUtil.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_TEXTTRANSFORM" FriendlyName="texttransform.exe" FileName="texttransform.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_VISUALUIAVERIFY" FriendlyName="visualuiaverifynative.exe" FileName="visualuiaverifynative.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_WSL" FriendlyName="wsl.exe" FileName="wsl.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_WSLCONFIG" FriendlyName="wslconfig.exe" FileName="wslconfig.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_WSLHOST" FriendlyName="wslhost.exe" FileName="wslhost.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_TEXTTRANSFORM" FriendlyName="texttransform.exe" FileName="texttransform.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD_DLL" FriendlyName="MSBuild.dll" FileName="MSBuild.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" />
<!-- pick the correct version of msxml3.dll, msxml6.dll, and jscript9.dll based on the release you are supporting -->
<!-- the versions of these files in the 1903 release have this issue fixed, so they dont need to be blocked -->
@ -859,48 +877,51 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="User Mode Signing Scenarios">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_ADDINPROCESS"/>
<FileRuleRef RuleID="ID_DENY_ADDINPROCESS32"/>
<FileRuleRef RuleID="ID_DENY_ADDINUTIL"/>
<FileRuleRef RuleID="ID_DENY_ASPNET"/>
<FileRuleRef RuleID="ID_DENY_BASH"/>
<FileRuleRef RuleID="ID_DENY_BGINFO"/>
<FileRuleRef RuleID="ID_DENY_CBD"/>
<FileRuleRef RuleID="ID_DENY_KD"/>
<FileRuleRef RuleID="ID_DENY_NTKD"/>
<FileRuleRef RuleID="ID_DENY_WINDBG"/>
<FileRuleRef RuleID="ID_DENY_MSBUILD"/>
<FileRuleRef RuleID="ID_DENY_CSI"/>
<FileRuleRef RuleID="ID_DENY_DBGHOST"/>
<FileRuleRef RuleID="ID_DENY_DBGSVC"/>
<FileRuleRef RuleID="ID_DENY_DNX"/>
<FileRuleRef RuleID="ID_DENY_RCSI"/>
<FileRuleRef RuleID="ID_DENY_NTSD"/>
<FileRuleRef RuleID="ID_DENY_LXSS"/>
<FileRuleRef RuleID="ID_DENY_BASH"/>
<FileRuleRef RuleID="ID_DENY_DOTNET" />
<FileRuleRef RuleID="ID_DENY_FSI"/>
<FileRuleRef RuleID="ID_DENY_FSI_ANYCPU"/>
<FileRuleRef RuleID="ID_DENY_INFINSTALL"/>
<FileRuleRef RuleID="ID_DENY_KD"/>
<FileRuleRef RuleID="ID_DENY_KILL"/>
<FileRuleRef RuleID="ID_DENY_LXSS"/>
<FileRuleRef RuleID="ID_DENY_LXRUN"/>
<FileRuleRef RuleID="ID_DENY_MS_BUILD" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD_FMWK" />
<FileRuleRef RuleID="ID_DENY_MWFC" />
<FileRuleRef RuleID="ID_DENY_MSBUILD"/>
<FileRuleRef RuleID="ID_DENY_MSBUILD_DLL" />
<FileRuleRef RuleID="ID_DENY_MSHTA"/>
<FileRuleRef RuleID="ID_DENY_VISUALUIAVERIFY"/>
<FileRuleRef RuleID="ID_DENY_NTKD"/>
<FileRuleRef RuleID="ID_DENY_NTSD"/>
<FileRuleRef RuleID="ID_DENY_PWRSHLCUSTOMHOST"/>
<FileRuleRef RuleID="ID_DENY_RCSI"/>
<FileRuleRef RuleID="ID_DENY_RUNSCRIPTHELPER"/>
<FileRuleRef RuleID="ID_DENY_ADDINPROCESS"/>
<FileRuleRef RuleID="ID_DENY_ADDINPROCESS32"/>
<FileRuleRef RuleID="ID_DENY_ADDINUTIL"/>
<FileRuleRef RuleID="ID_DENY_TEXTTRANSFORM"/>
<FileRuleRef RuleID="ID_DENY_VISUALUIAVERIFY"/>
<FileRuleRef RuleID="ID_DENY_WFC" />
<FileRuleRef RuleID="ID_DENY_WINDBG"/>
<FileRuleRef RuleID="ID_DENY_WMIC"/>
<FileRuleRef RuleID="ID_DENY_WSL"/>
<FileRuleRef RuleID="ID_DENY_WSLCONFIG"/>
<FileRuleRef RuleID="ID_DENY_WSLHOST"/>
<FileRuleRef RuleID="ID_DENY_INFINSTALL"/>
<FileRuleRef RuleID="ID_DENY_LXRUN"/>
<FileRuleRef RuleID="ID_DENY_PWRSHLCUSTOMHOST"/>
<FileRuleRef RuleID="ID_DENY_TEXTTRANSFORM"/>
<FileRuleRef RuleID="ID_DENY_KILL"/>
<FileRuleRef RuleID="ID_DENY_WMIC"/>
<FileRuleRef RuleID="ID_DENY_MWFC" />
<FileRuleRef RuleID="ID_DENY_WFC" />
<!-- uncomment the relevant line(s) below if you have uncommented them in the rule definitions above
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
-->
<FileRuleRef RuleID="ID_DENY_MSBUILD_DLL" />
<FileRuleRef RuleID="ID_DENY_DOTNET" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD_FMWK" />
<FileRuleRef RuleID="ID_DENY_D_1"/>
<FileRuleRef RuleID="ID_DENY_D_2"/>
<FileRuleRef RuleID="ID_DENY_D_3"/>

12
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
View File

@ -24,20 +24,22 @@ ms.date: 03/16/2020
- Windows 10
- Windows Server 2016 and above
After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature.
After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanced Threat Protection (MDATP) Advanced Hunting feature.
## WDAC Events Overview
WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
WDAC events are generated under two locations:
1. Applications and Services logs Microsoft Windows CodeIntegrity Operational
2. Applications and Services logs Microsoft Windows AppLocker MSI and Script
- Applications and Services logs Microsoft Windows CodeIntegrity Operational
- Applications and Services logs Microsoft Windows AppLocker MSI and Script
## In this section
| Topic | Description |
| - | - |
| [Understanding Application Control events](event-id-explanations.md) | This topic explains the meaning of different WDAC events. |
| [Understanding Application Control event IDs](event-id-explanations.md) | This topic explains the meaning of different WDAC event IDs. |
| [Understanding Application Control event tags](event-tag-explanations.md) | This topic explains the meaning of different WDAC event tags. |
| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. |