From 8fc109633f3cd9c169ce109940b520df8101632c Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 09:39:22 -0700 Subject: [PATCH] Microsoft criteria for driver blocks have been updated. WDSI driver submission page is now linked too. --- .../microsoft-recommended-driver-block-rules.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index c749cb9925..f99fbc4154 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -33,10 +33,15 @@ Microsoft has strict requirements for code running in kernel. So, malicious acto - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +The vulnerable driver blocklist is designed to harden systems against 3rd party-developed drivers across the Windows ecosystem with any of the following: -> [!Note] -> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It's recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. +- Known security vulnerabilities which can be exploited by attackers to elevate privileges in the Windows kernel +- Malicious behaviors (i.e. malware) or certificates used to sign malware +- Behaviors which are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel + +Drivers can be submitted by IHVs, OEMs and Windows customers to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/wdsi/driversubmission). + +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. ```xml