Acrolinx feedback

This commit is contained in:
Jordan Geurten 2024-01-24 12:56:50 -05:00
parent 69ce1e60ca
commit cf6392a820
2 changed files with 14 additions and 14 deletions

View File

@ -5,7 +5,7 @@ ms.localizationpriority: medium
ms.collection: ms.collection:
- tier3 - tier3
- must-keep - must-keep
ms.date: 06/06/2023 ms.date: 01/24/2024
ms.topic: article ms.topic: article
--- ---
@ -20,7 +20,7 @@ Microsoft has strict requirements for code running in kernel. So, malicious acto
- Malicious behaviors (malware) or certificates used to sign malware - Malicious behaviors (malware) or certificates used to sign malware
- Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel - Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the blocklist, including updating a block rule once a driver has been fixed, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
> [!NOTE] > [!NOTE]
> Blocking drivers can cause devices or software to malfunction, and in rare cases, lead to blue screen. The vulnerable driver blocklist is not guaranteed to block every driver found to have vulnerabilities. Microsoft attempts to balance the security risks from vulnerable drivers with the potential impact on compatibility and reliability to produce the blocklist. As always, Microsoft recommends using an explicit allow list approach to security wherever possible. > Blocking drivers can cause devices or software to malfunction, and in rare cases, lead to blue screen. The vulnerable driver blocklist is not guaranteed to block every driver found to have vulnerabilities. Microsoft attempts to balance the security risks from vulnerable drivers with the potential impact on compatibility and reliability to produce the blocklist. As always, Microsoft recommends using an explicit allow list approach to security wherever possible.
@ -39,7 +39,7 @@ With Windows 11 2022 update, the vulnerable driver blocklist is enabled by defa
The blocklist is updated with each new major release of Windows, typically 1-2 times per year, including most recently with the Windows 11 2022 update released in September 2022. The most current blocklist is now also available for Windows 10 20H2 and Windows 11 21H2 users as an optional update from Windows Update. Microsoft will occasionally publish future updates through regular Windows servicing. The blocklist is updated with each new major release of Windows, typically 1-2 times per year, including most recently with the Windows 11 2022 update released in September 2022. The most current blocklist is now also available for Windows 10 20H2 and Windows 11 21H2 users as an optional update from Windows Update. Microsoft will occasionally publish future updates through regular Windows servicing.
Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies. Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we provide a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, use the following XML to create your own custom WDAC policies.
## Blocking vulnerable drivers using WDAC ## Blocking vulnerable drivers using WDAC
@ -72,12 +72,12 @@ To check that the policy was successfully applied on your computer:
## Vulnerable driver blocklist XML ## Vulnerable driver blocklist XML
> [!IMPORTANT] > [!IMPORTANT]
> The policy listed below contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations). > The following policy contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
> [!NOTE] > [!NOTE]
> To use this policy with Windows Server 2016, you must convert the policy XML on a device running a newer operating system. > To use this policy with Windows Server 2016, you must convert the policy XML on a device running a newer operating system.
The below recommended blocklist xml policy file can also be downloaded from the [Microsoft Download Center](https://aka.ms/VulnerableDriverBlockList). The following recommended blocklist xml policy file can also be downloaded from the [Microsoft Download Center](https://aka.ms/VulnerableDriverBlockList).
```xml ```xml
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>

View File

@ -3,7 +3,7 @@ title: Windows Defender Application Control Wizard WDAC Event Parsing
description: Creating WDAC policy rules from the WDAC event logs and the MDE Advanced Hunting WDAC events. description: Creating WDAC policy rules from the WDAC event logs and the MDE Advanced Hunting WDAC events.
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.date: 02/01/2023 ms.date: 01/24/2024
--- ---
# Creating WDAC Policy Rules from WDAC Events in the Wizard # Creating WDAC Policy Rules from WDAC Events in the Wizard
@ -21,11 +21,11 @@ As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.ht
To create rules from the WDAC event logs on the system: To create rules from the WDAC event logs on the system:
1. Select **Policy Editor** from the WDAC Wizard main page. 1. Select **Policy Editor** from the main page.
2. Select **Convert Event Log to a WDAC Policy**. 2. Select **Convert Event Log to a WDAC Policy**.
3. Select the **Parse Event Logs** button under the **Parse Event Logs from the System Event Viewer to Policy** header. 3. Select the **Parse Event Logs** button under the **Parse Event Logs from the System Event Viewer to Policy** header.
The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events. The Wizard parses the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> [![Parse WDAC and AppLocker event log system events](../images/wdac-wizard-event-log-system.png)](../images/wdac-wizard-event-log-system-expanded.png) > [![Parse WDAC and AppLocker event log system events](../images/wdac-wizard-event-log-system.png)](../images/wdac-wizard-event-log-system-expanded.png)
@ -37,12 +37,12 @@ To create rules from the WDAC event logs on the system:
To create rules from the WDAC `.EVTX` event logs files on the system: To create rules from the WDAC `.EVTX` event logs files on the system:
1. Select **Policy Editor** from the WDAC Wizard main page. 1. Select **Policy Editor** from the main page.
2. Select **Convert Event Log to a WDAC Policy**. 2. Select **Convert Event Log to a WDAC Policy**.
3. Select the **Parse Log File(s)** button under the **Parse Event Log evtx Files to Policy** header. 3. Select the **Parse Log File(s)** button under the **Parse Event Log evtx Files to Policy** header.
4. Select the WDAC CodeIntegrity Event log EVTX file(s) from the disk to parse. 4. Select the WDAC CodeIntegrity Event log EVTX file(s) from the disk to parse.
The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events. The Wizard parses the relevant audit and block events from the selected log files. You see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> [![Parse evtx file WDAC events](../images/wdac-wizard-event-log-files.png)](../images/wdac-wizard-event-log-files-expanded.png) > [![Parse evtx file WDAC events](../images/wdac-wizard-event-log-files.png)](../images/wdac-wizard-event-log-files-expanded.png)
@ -84,12 +84,12 @@ To create rules from the WDAC events in [MDE Advanced Hunting](../operations/que
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> [![Export the MDE Advanced Hunting results to CSV](../images/wdac-wizard-event-log-mde-ah-export.png)](../images/wdac-wizard-event-log-mde-ah-export-expanded.png) > [![Export the MDE Advanced Hunting results to CSV](../images/wdac-wizard-event-log-mde-ah-export.png)](../images/wdac-wizard-event-log-mde-ah-export-expanded.png)
3. Select **Policy Editor** from the WDAC Wizard main page. 3. Select **Policy Editor** from the main page.
4. Select **Convert Event Log to a WDAC Policy**. 4. Select **Convert Event Log to a WDAC Policy**.
5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header. 5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header.
6. Select the WDAC MDE Advanced Hunting export CSV files from the disk to parse. 6. Select the WDAC MDE Advanced Hunting export CSV files from the disk to parse.
The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You'll see a notification when the Wizard successfully finishes reading the events. The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> [![Parse the Advanced Hunting CSV WDAC event files](../images/wdac-wizard-event-log-mde-ah-parsing.png)](../images/wdac-wizard-event-log-mde-ah-parsing-expanded.png) > [![Parse the Advanced Hunting CSV WDAC event files](../images/wdac-wizard-event-log-mde-ah-parsing.png)](../images/wdac-wizard-event-log-mde-ah-parsing-expanded.png)
@ -99,14 +99,14 @@ To create rules from the WDAC events in [MDE Advanced Hunting](../operations/que
## Creating Policy Rules from the Events ## Creating Policy Rules from the Events
On the "Configure Event Log Rules" page, the unique WDAC log events will be shown in the table. Event Ids, filenames, product names, the policy name that audited or blocked the file, and the file publisher are all shown in the table. The table can be sorted alphabetically by clicking on any of the headers. On the "Configure Event Log Rules" page, the unique WDAC log events are shown in the table. Event Ids, filenames, product names, the policy name that audited or blocked the file, and the file publisher are all shown in the table. The table can be sorted alphabetically by clicking on any of the headers.
To create a rule and add it to the WDAC policy: To create a rule and add it to the WDAC policy:
1. Select an audit or block event in the table by selecting the row of interest. 1. Select an audit or block event in the table by selecting the row of interest.
2. Select a rule type from the dropdown. The Wizard supports creating Publisher, Path, File Attribute, Packaged App and Hash rules. 2. Select a rule type from the dropdown. The Wizard supports creating Publisher, Path, File Attribute, Packaged App and Hash rules.
3. Select the attributes and fields that should be added to the policy rules using the checkboxes provided for the rule type. 3. Select the attributes and fields that should be added to the policy rules using the checkboxes provided for the rule type.
4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated. 4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label is shown in the selected row confirming that the rule will be generated.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> [![Adding a publisher rule to the WDAC policy](../images/wdac-wizard-event-rule-creation.png)](../images/wdac-wizard-event-rule-creation-expanded.png) > [![Adding a publisher rule to the WDAC policy](../images/wdac-wizard-event-rule-creation.png)](../images/wdac-wizard-event-rule-creation-expanded.png)