updated block list

2025-06-22 13:53:39 +00:00 · 2017-12-12 08:35:08 -08:00
parent a51a35de8c
commit ca4fa2eaf3
1 changed files with 29 additions and 20 deletions
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@ -39,6 +39,9 @@ Members of the security community<sup>\*</sup> continuously collaborate with Mic

 Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Windows Defender Device Guard:

+- addinprocess.exe
+- addinprocess32.exe
+- adinutil.exe
 - bash.exe
 - bginfo.exe<sup>[1]</sup> 
 - cdb.exe
@ -136,6 +139,9 @@ Microsoft recommends that you block the following Microsoft-signed applications
    <Deny  ID="ID_DENY_MSHTA"             FriendlyName="mshta.exe"                   FileName="mshta.exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_VISUALUIAVERIFY"   FriendlyName="visualuiaverifynative.exe"   FileName="visualuiaverifynative.exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_RUNSCRIPTHELPER"   FriendlyName="runscripthelper.exe"         FileName="runscripthelper.exe" MinimumFileVersion="65535.65535.65535.65535" />
+    <Deny  ID="ID_DENY_ADDINPROCESS"      FriendlyName="AddInProcess.exe"            FileName="AddInProcess.exe" MinimumFileVersion="65535.65535.65535.65535" />
+    <Deny  ID="ID_DENY_ADDINPROCESS32"    FriendlyName="AddInProcess32.exe"          FileName="AddInProcess32.exe" MinimumFileVersion="65535.65535.65535.65535" />
+    <Deny  ID="ID_DENY_ADDINUTIL"         FriendlyName="AddInUtil.exe"               FileName="AddInUtil.exe" MinimumFileVersion="65535.65535.65535.65535" />

    <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6" />
    <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF" />
@ -421,6 +427,9 @@ Microsoft recommends that you block the following Microsoft-signed applications
          <FileRuleRef RuleID="ID_DENY_MSHTA" />
          <FileRuleRef RuleID="ID_DENY_VISUALUIAVERIFY" />
          <FileRuleRef RuleID="ID_DENY_RUNSCRIPTHELPER"/>
+          <FileRuleRef RuleID="ID_DENY_ADDINPROCESS"/>
+          <FileRuleRef RuleID="ID_DENY_ADDINPROCESS32"/>
+          <FileRuleRef RuleID="ID_DENY_ADDINUTIL"/>
          <FileRuleRef RuleID="ID_DENY_D_1" />
          <FileRuleRef RuleID="ID_DENY_D_2" />
          <FileRuleRef RuleID="ID_DENY_D_3" />