deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Task ID 29550212

Browse Source 
Made recommended edit.
This commit is contained in:
Kim Klein
2021-05-24 11:09:43 -07:00
parent 7bd22fdeb3
commit d8b9743592
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -126,14 +126,14 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
## More information about hashes
## More information about hashes
### Why does scan create 4 hash rules per XML file?
### Why does scan create four hash rules per XML file?
(Hash Sha1, Hash Sha256, Hash Page Sha1, Hash Page Sha256)
During validation CI will choose which hashes to calculate depending on how the file is signed. E.g. if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash.
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
During validation CI will choose which hashes to calculate depending on how the file is signed. For example, if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash.
In the cmdlets, rather than try to predict which hash CI will use, we pre calculate and use the 4 hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient to if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesnt result in a different hash than what was in the policy being used by CI.
In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesnt result in a different hash than what was in the policy being used by CI.
### Why does scan create 8 hash rules for certain XML files?