Merged PR 15157: added new version

2025-05-12 21:37:22 +00:00 · 2019-04-09 19:17:33 +00:00 · 2019-04-09 19:17:33 +00:00 · c2e21d3b2a
commit c2e21d3b2a
parent c2886207c7 f24b38f38b
1 changed files with 42 additions and 5 deletions
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: jsuther1974
-ms.date: 08/31/2018
+ms.date: 04/09/2019
 ---

 # Microsoft recommended block rules
@ -76,7 +76,13 @@ These modules cannot be blocked by name or version, and therefore must be blocke

 For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules.

-Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
+Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files:
+
+- msxml3.dll
+- msxml6.dll
+- jscript9.dll
+
+Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions.

 ```xml
 <?xml version="1.0" encoding="utf-8" ?> 
@ -137,7 +143,35 @@ Microsoft recommends that you block the following Microsoft-signed applications
  <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
  <Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" /> 
  <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />   
-  <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />   
+  <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />  
+  <! -- msxml3.dll pick correct version based on release you are supporting -->
+  <! -- msxml6.dll pick correct version based on release you are supporting -->     
+  <! -- jscript9.dll pick correct version based on release you are supporting -->
+  <! -- RS1 Windows 1607
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.14393.2550"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.14393.2550"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.14393.2607"/>
+  -->
+  <! -- RS2 Windows 1703
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.15063.1386"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.15063.1386"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.15063.1445"/>
+  -->
+  <! -- RS3 Windows 1709
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.16299.725"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.16299.725"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.16299.785"/>
+  -->
+  <! -- RS4 Windows 1803
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.17134.344"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.17134.344"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.17134.406"/>
+  -->
+  <! -- RS5 Windows 1809
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.17763.54"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.17763.54"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.17763.133"/>
+  -->
  <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6"/> 
  <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF"/> 
  <Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40"/> 
@ -842,8 +876,11 @@ Microsoft recommends that you block the following Microsoft-signed applications
  <FileRuleRef RuleID="ID_DENY_KILL"/> 
  <FileRuleRef RuleID="ID_DENY_WMIC"/>
  <FileRuleRef RuleID="ID_DENY_MWFC" /> 
-  <FileRuleRef RuleID="ID_DENY_WFC" />   
-  <FileRuleRef RuleID="ID_DENY_D_1"/> 
+  <FileRuleRef RuleID="ID_DENY_WFC" /> 
+  <FileRuleRef RuleID="ID_DENY_MSXML3" /> 
+  <FileRuleRef RuleID="ID_DENY_MSXML6" /> 
+  <FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
+  <FileRuleRef RuleID="ID_DENY_D_1"/>
  <FileRuleRef RuleID="ID_DENY_D_2"/> 
  <FileRuleRef RuleID="ID_DENY_D_3"/> 
  <FileRuleRef RuleID="ID_DENY_D_4"/>