deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #6323 from valemieux/v-alemieux-working

Browse Source 
Update Allow in FileRules - GH 10377
This commit is contained in:
Thomas Raya 2022-03-08 18:39:05 -06:00 committed by GitHub
commit ac3b699d21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 52 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

@ -46,7 +46,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
```xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.22530.0</VersionEx>
<VersionEx>10.0.25070.0</VersionEx>
<PolicyTypeID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
@ -64,6 +64,8 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<EKUs />
<!--File Rules-->
<FileRules>
<Allow ID="ID_ALLOW_ALL_1" FriendlyName="" FileName="*" />
<Allow ID="ID_ALLOW_ALL_2" FriendlyName="" FileName="*" />
<Deny ID="ID_DENY_ASIO_32_SHA1" FriendlyName="ASIO32.sys Hash Sha1" Hash="D569D4BAB86E70EFBCDFDAC9D822139D6F477B7C" />
<Deny ID="ID_DENY_ASIO_32_SHA256" FriendlyName="ASIO32.sys Hash Sha256" Hash="80599708CE61EC5D6DCFC5977208A2A0BE2252820A88D9BA260D8CDF5DC7FBE4" />
<Deny ID="ID_DENY_ASIO_32_SHA1_PAGE" FriendlyName="ASIO32.sys Hash Page Sha1" Hash="80FA962BDFB76DFCB9E5D13EFC38BB3D392F2E77" />
@ -108,6 +110,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Deny ID="ID_DENY_BANDAI_SHA256" FriendlyName="bandai.sys Hash Sha256" Hash="7FD788358585E0B863328475898BB4400ED8D478466D1B7F5CC0252671456CC8" />
<Deny ID="ID_DENY_BANDAI_SHA1_PAGE" FriendlyName="bandai.sys Hash Page Sha1" Hash="EA360A9F23BB7CF67F08B88E6A185A699F0C5410" />
<Deny ID="ID_DENY_BANDAI_SHA256_PAGE" FriendlyName="bandai.sys Hash Page Sha256" Hash="BB83738210650E09307CE869ACA9BFA251024D3C47B1006B94FCE2846313F56E" />
<Deny ID="ID_DENY_BS_RCIO64_SHA1" FriendlyName="BS_RCIO64 73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Sha1" Hash="4BFE9E5A5A25B7CDE6C81EBE31ED4ABEB5147FAF" />
<Deny ID="ID_DENY_BS_RCIO64_SHA256" FriendlyName="BS_RCIO64 73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Sha256" Hash="0381632CD236CD94FA9E64CCC958516AC50F9437F99092E231A607B1E6BE6CF8" />
<Deny ID="ID_DENY_BS_RCIO64_SHA1_PAGE" FriendlyName="BS_RCIO64 5651466512138240\73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Page Sha1" Hash="C28B640BECA5E2834D2A373F139869CC309F6631" />
<Deny ID="ID_DENY_BS_RCIO64_SHA256_PAGE" FriendlyName="BS_RCIO64 5651466512138240\73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Page Sha256" Hash="9378F7DFF94D9409D38FA1A125C52734D6BAEA90913FC3CEE2659FD36AB0DA29" />
<Deny ID="ID_DENY_CAPCOM_SHA1" FriendlyName="capcom.sys Hash Sha1" Hash="1D1CAFC73C97C6BCD2331F8777D90FDCA57125A3" />
<Deny ID="ID_DENY_CAPCOM_SHA256" FriendlyName="capcom.sys Hash Sha256" Hash="FAA08CB609A5B7BE6BFDB61F1E4A5E8ADF2F5A1D2492F262483DF7326934F5D4" />
<Deny ID="ID_DENY_CAPCOM_SHA1_PAGE" FriendlyName="capcom.sys Hash Page Sha1" Hash="69006FBBD1B150FB9404867A5BCDC04FE0FC1BAD" />
@ -396,6 +402,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttrib ID="ID_FILEATTRIB_BSMI" FriendlyName="" FileName="BSMI.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.3" />
<FileAttrib ID="ID_FILEATTRIB_BS_HWMIO64" FriendlyName="" FileName="BS_HWMIO64_W10.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.1806.2200" />
<FileAttrib ID="ID_FILEATTRIB_BS_I2CIO" FriendlyName="" FileName="BS_I2cIo.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.1.0.0" />
<FileAttrib ID="ID_FILEATTRIB_BS_RCIO" FriendlyName="BS_RCIO.sys FileAttribute" FileName="BS_RCIO64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.0.1" />
<FileAttrib ID="ID_FILEATTRIB_NTIOLIB" FriendlyName="" FileName="NTIOLib.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_CPUZ_DRIVER" FriendlyName="" FileName="cpuz.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.4.3" />
<FileAttrib ID="ID_FILEATTRIB_ELBY_DRIVER" FriendlyName="" FileName="ElbyCDIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="6.0.3.2" />
@ -406,6 +413,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttrib ID="ID_FILEATTRIB_LIBNICM_DRIVER" FriendlyName="" FileName="libnicm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_MTCBSV64" FriendlyName="mtcBSv64.sys FileAttribute" FileName="mtcBSv64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="21.2.0.0" />
<FileAttrib ID="ID_FILEATTRIB_NCHGBIOS2X64" FriendlyName="" FileName="NCHGBIOS2x64.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="4.2.4.0" />
<FileAttrib ID="ID_FILEATTRIB_NCPL_DRIVER" FriendlyName="" FileName="NCPL.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_NICM_DRIVER" FriendlyName="" FileName="NICM.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_NSCM_DRIVER" FriendlyName="" FileName="nscm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_PHYSMEM" FriendlyName="Physmem.sys FileAttribute" FileName="physmem.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
@ -418,6 +426,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttrib ID="ID_FILEATTRIB_SANDRA_DRIVER" FriendlyName="" FileName="sandra.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.12.0.0" />
<FileAttrib ID="ID_FILEATTRIB_SEGWINDRVX64" FriendlyName="segwindrvx64.sys FileAttribute" FileName="segwindrvx64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="100.0.7.2" />
<FileAttrib ID="ID_FILEATTRIB_TREND_MICRO" FriendlyName="TmComm.sys" FileName="TmComm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="8.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VBOX" FriendlyName="VBoxDrv.sys FileAttribute" FileName="VBoxDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VIRAGT" FriendlyName="viragt.sys 32-bit" FileName="viragt.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.80.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VIRAGT64" FriendlyName="viragt64.sys" FileName="viragt64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.11" />
<FileAttrib ID="ID_FILEATTRIB_VMDRV" FriendlyName="vmdrv.sys FileAttribute" FileName="vmdrv.sys" MinimumFileVersion="10.0.10011.16384" />
@ -439,6 +448,13 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttribRef RuleID="ID_FILEATTRIB_RTKIO64_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_RWDRV_DRIVER" />
</Signer>
<Signer ID="ID_SIGNER_VERISIGN_2010_2" Name="VeriSign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="4678C6E4A8787A8E6ED2BCE8792B122F6C08AFD8" />
<FileAttribRef RuleID="ID_FILEATTRIB_TREND_MICRO" />
<FileAttribRef RuleID="ID_FILEATTRIB_RTKIO_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_RTKIO64_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_RWDRV_DRIVER" />
</Signer>
<Signer ID="ID_SIGNER_VERISIGN_2010_2" Name="VeriSign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="4678C6E4A8787A8E6ED2BCE8792B122F6C08AFD8" />
<FileAttribRef RuleID="ID_FILEATTRIB_TREND_MICRO" />
@ -473,6 +489,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttribRef RuleID="ID_FILEATTRIB_ATSZIO" />
<FileAttribRef RuleID="ID_FILEATTRIB_IQVW64" />
<FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_TREND_MICRO" />
@ -513,6 +530,16 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Signer ID="ID_SIGNER_VBOX" Name="GlobalSign Primary Object Publishing CA">
<CertRoot Type="TBS" Value="041750993D7C9E063F02DFE74699598640911AAB" />
<CertPublisher Value="innotek GmbH" />
</Signer>
<Signer ID="ID_SIGNER_VBOX_ORCALE" Name="VeriSign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="4843A82ED3B1F2BFBEE9671960E1940C942F688D" />
<CertPublisher Value="Oracle Corporation" />
<FileAttribRef RuleID="ID_FILEATTRIB_VBOX" />
</Signer>
<Signer ID="ID_SIGNER_VBOX_SUN" Name="VeriSign Class 3 Code Signing 2004 CA">
<CertRoot Type="TBS" Value="C7FC1727F5B75A6421A1F95C73BBDB23580C48E5" />
<CertPublisher Value="Sun Microsystems, Inc." />
<FileAttribRef RuleID="ID_FILEATTRIB_VBOX" />
</Signer>
<Signer ID="ID_SIGNER_REALTEK" Name="DigiCert EV Code Signing CA">
<CertRoot Type="TBS" Value="2D54C16A8F8B69CCDEA48D0603C132F547A5CF75" />
@ -544,9 +571,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Signer ID="ID_SIGNER_WINDOWS_3RD_PARTY_2014" Name="Microsoft Windows Third Party Component CA 2014">
<CertRoot Type="TBS" Value="D8BE9E4D9074088EF818BC6F6FB64955E90378B2754155126FEEBBBD969CF0AE" />
<CertPublisher Value="Microsoft Windows Hardware Compatibility Publisher" />
<FileAttribRef RuleID="ID_FILEATTRIB_BS_RCIO" />
<FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_LHA" />
<FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_RTKIO_DRIVER" />
@ -600,6 +629,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<CertRoot Type="TBS" Value="4843A82ED3B1F2BFBEE9671960E1940C942F688D" />
<CertPublisher Value="Novell, Inc." />
<FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
</Signer>
@ -698,6 +728,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
</Signer>
<Signer ID="ID_SIGNER_SAASAME" Name="SaaSaMe Ltd.">
<CertRoot Type="TBS" Value="A86DE66D8198E4272859881476A6F9936034A482" />
</Signer>
<Signer ID="ID_SIGNER_NVIDIA_2011" Name="Leaked 2011 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="15C37DBEBE6FCC77108E3D7AD982676D3D5E77F7" />
</Signer>
<Signer ID="ID_SIGNER_NVIDIA_2015" Name="Leaked 2015 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="F049A238763D4A90B148AB10A500F96EBF1DC436" />
</Signer>
</Signers>
<!--Driver Signing Scenarios-->
@ -728,16 +764,20 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_USER" />
<DeniedSigner SignerId="ID_SIGNER_NANJING" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2011" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2015" />
<DeniedSigner SignerId="ID_SIGNER_PHYSMEM" />
<DeniedSigner SignerId="ID_SIGNER_REALTEK" />
<DeniedSigner SignerId="ID_SIGNER_RWEVERY" />
<DeniedSigner SignerId="ID_SIGNER_SAASAME" />
<DeniedSigner SignerId="ID_SIGNER_SAASAME" />
<DeniedSigner SignerId="ID_SIGNER_SANDRA" />
<DeniedSigner SignerId="ID_SIGNER_SANDRA_THAWTE" />
<DeniedSigner SignerId="ID_SIGNER_SPEEDFAN" />
<DeniedSigner SignerId="ID_SIGNER_SYMANTEC_CLASS_3" />
<DeniedSigner SignerId="ID_SIGNER_TRUST_ASIA" />
<DeniedSigner SignerId="ID_SIGNER_VBOX" />
<DeniedSigner SignerId="ID_SIGNER_VBOX_ORCALE" />
<DeniedSigner SignerId="ID_SIGNER_VBOX_SUN" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2004" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2004_BIOSTAR" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2009" />
@ -802,6 +842,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA256" />
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA1_PAGE" />
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA256_PAGE" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1_PAGE" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256_PAGE" />
<FileRuleRef RuleID="ID_DENY_CAPCOM_SHA1" />
<FileRuleRef RuleID="ID_DENY_CAPCOM_SHA256" />
<FileRuleRef RuleID="ID_DENY_CAPCOM_SHA1_PAGE" />
@ -1106,7 +1150,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
</Setting>
<Setting Provider="PolicyInfo" Key="Information" ValueName="Id">
<Value>
<String>10.0.22530.0</String>
<String>10.0.25070.0</String>
</Value>
</Setting>
<Setting Provider="PolicyInfo" Key="NoRevalidationUponRefresh" ValueName="NoRevalidationUponRefreshValue">
<Value>
<Boolean>true</Boolean>
</Value>
</Setting>
</Settings>