From db243a527b46d3e347574fdf607e843c2e829a25 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 6 Jun 2023 10:21:54 -0700 Subject: [PATCH 1/7] Explain when WDAC uses flat file hash --- .../select-types-of-rules-to-create.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 3630632cf7..c798b2a7a9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -13,7 +13,7 @@ author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz -ms.date: 05/26/2023 +ms.date: 06/06/2023 ms.technology: itpro-security ms.topic: article --- @@ -180,10 +180,14 @@ During validation, WDAC selects which hashes are calculated based on how the fil In the cmdlets, rather than try to predict which hash will be used, we precalculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient to changes in how the file is signed since your WDAC policy has more than one hash available for the file already. -### Why does scan create eight hash rules for certain XML files? +### Why does scan create eight hash rules for certain files? Separate rules are created for UMCI and KMCI. If the cmdlets can't determine that a file will only run in user-mode or in the kernel, then rules are created for both signing scenarios out of an abundance of caution. If you know that a particular file will only load in either user-mode or kernel, then you can safely remove the extra rules. +### When does WDAC use the flat file hash value? + +There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. There are a number of reasons this can occur, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly. + ## Windows Defender Application Control filename rules File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they're based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules. From f1482767a48d0fb59e60976917ede41976176863 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 6 Jun 2023 11:27:04 -0700 Subject: [PATCH 2/7] Added version upper bound to Kaspersky block --- .../microsoft-recommended-driver-block-rules.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index cae9d23e45..698ffea1df 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -16,7 +16,7 @@ author: jgeurten ms.reviewer: jsuther ms.author: vinpa manager: aaroncz -ms.date: 02/08/2023 +ms.date: 06/06/2023 ms.technology: itpro-security ms.topic: article --- @@ -1057,7 +1057,7 @@ To check that the policy was successfully applied on your computer: - + From 55d1769b8b9f13bf57679b296c606dba5fcc120d Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 6 Jun 2023 11:38:34 -0700 Subject: [PATCH 3/7] Update microsoft-recommended-driver-block-rules.md --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 698ffea1df..c29fdbfe31 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -100,7 +100,7 @@ To check that the policy was successfully applied on your computer: ```xml - 10.0.25860.0 + 10.0.25860.1 {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} From 274ca73322014344bf43d1a8858de1bf26f3c6f9 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 6 Jun 2023 11:45:05 -0700 Subject: [PATCH 4/7] Removed RTCORE_19, 1A-1C --- .../microsoft-recommended-driver-block-rules.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index c29fdbfe31..e5e4a6d905 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -1004,10 +1004,6 @@ To check that the policy was successfully applied on your computer: - - - - @@ -2857,10 +2853,6 @@ To check that the policy was successfully applied on your computer: - - - - From 9c5e900b5e4edd5749c9b0e5f6ea70650268e4bc Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 6 Jun 2023 11:46:04 -0700 Subject: [PATCH 5/7] Synced VersionEx with inbox policy --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index e5e4a6d905..db84c8c73e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -100,7 +100,7 @@ To check that the policy was successfully applied on your computer: ```xml - 10.0.25860.1 + 10.0.25873.0 {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} From d181b7942af8fe2fe993aa619f32a1624b4b56f1 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 6 Jun 2023 11:48:56 -0700 Subject: [PATCH 6/7] Update microsoft-recommended-driver-block-rules.md --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index db84c8c73e..4e14b5c0f4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -2918,7 +2918,7 @@ To check that the policy was successfully applied on your computer: - 10.0.25860.0 + 10.0.25873.0 From 5dabc9220f5b4c4b3d305a5318c2d64f12f6da5c Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 6 Jun 2023 14:17:03 -0600 Subject: [PATCH 7/7] Update windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md Line 189: Add "an" before "invalid format" and minor copy edit to remove duplicate phrasing in back-to-back sentences. --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index c798b2a7a9..35749e24f5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -186,7 +186,7 @@ Separate rules are created for UMCI and KMCI. If the cmdlets can't determine tha ### When does WDAC use the flat file hash value? -There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. There are a number of reasons this can occur, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly. +There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. This can occur for a number of reasons, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with an invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly. ## Windows Defender Application Control filename rules