diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index cae9d23e45..4e14b5c0f4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -16,7 +16,7 @@ author: jgeurten ms.reviewer: jsuther ms.author: vinpa manager: aaroncz -ms.date: 02/08/2023 +ms.date: 06/06/2023 ms.technology: itpro-security ms.topic: article --- @@ -100,7 +100,7 @@ To check that the policy was successfully applied on your computer: ```xml - 10.0.25860.0 + 10.0.25873.0 {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} @@ -1004,10 +1004,6 @@ To check that the policy was successfully applied on your computer: - - - - @@ -1057,7 +1053,7 @@ To check that the policy was successfully applied on your computer: - + @@ -2857,10 +2853,6 @@ To check that the policy was successfully applied on your computer: - - - - @@ -2926,7 +2918,7 @@ To check that the policy was successfully applied on your computer: - 10.0.25860.0 + 10.0.25873.0 diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 3630632cf7..35749e24f5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -13,7 +13,7 @@ author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz -ms.date: 05/26/2023 +ms.date: 06/06/2023 ms.technology: itpro-security ms.topic: article --- @@ -180,10 +180,14 @@ During validation, WDAC selects which hashes are calculated based on how the fil In the cmdlets, rather than try to predict which hash will be used, we precalculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient to changes in how the file is signed since your WDAC policy has more than one hash available for the file already. -### Why does scan create eight hash rules for certain XML files? +### Why does scan create eight hash rules for certain files? Separate rules are created for UMCI and KMCI. If the cmdlets can't determine that a file will only run in user-mode or in the kernel, then rules are created for both signing scenarios out of an abundance of caution. If you know that a particular file will only load in either user-mode or kernel, then you can safely remove the extra rules. +### When does WDAC use the flat file hash value? + +There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. This can occur for a number of reasons, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with an invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly. + ## Windows Defender Application Control filename rules File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they're based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules.