GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

HVCI Off: Blocked via Authentihash in the MS blocklist: Blocked Blocked via Signer Cert in the MS blocklist: Allowed Blocked via Signer Cert via WDAC manually: Blocked

Download link

https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/105/200/301/624/218/original/6842953d89720953.png

Notices where this attachment appears

  1. Embed this notice
    Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:16 JST Will Dormann Will Dormann

    Edit for those looking for the TL;DR version of this thread:
    There are 3 flaws related to vulnerable driver blocking / WDAC:
    1) If HVCI is off, then WDAC blocks via file signer that have a FileAttrib qualifier (e.g. all by-signer entries in the MS vulnerable driver blocklist) will not be blocked
    2) The driver block list that's pushed to endpoints is not the same list as the public driver blocklist. The on-endpoint blocklist is missing numerous hashes.
    3) HVCI systems do not obey the FilePath qualifier for WDAC rules

    MSRC has indicated that they don't consider any of these issues to be vulnerabilities, so they will not fix.

    ----- Original thread as follows -----

    I recently deleted a thread here as my tests were not valid. What was wrong? The driver I was using as an example of "blocked via signer" was indeed in the Microsoft recommended driver block rules list for TWO YEARS (It's present in a March 2023 version of the list). Given that the blocklist is updated on Windows endpoints "1-2 times per year", this should be present in the blocklist on a Win11 machine in 2025, right? Get real. It's bugs all the way down. No, I haven't (yet?) investigated which drivers are in the official list online, but are missing on Windows endpoints. But the fact that the first viable-for-testing driver that I chose was NOT in the list on endpoints... let's just say that this isn't a good sniff test.

    Anyway, the problem that came to my attention on the Bad Place was that a user complained that that a driver that was expected to be blocked was being allowed to run if HVCI ("Memory integrity") wasn't enabled. This can't be right, can it?

    Yes, it's true. The drivers listed in the Microsoft recommended driver block rules list by way of their signing certificate do NOT result in the driver being blocked (via WDAC). So just as a test, I created my own WDAC block list (with App Control Wizard and applying it with ApplyWDAC) for an arbitrary driver.

    Let's compare 3 drivers that should be blocked, on a system with HVCI off, and on a system with HVCI on.

    • Blocked via Authentihash in the MS vulnerable driver blocklist
    • Blocked via Signer Cert in the MS vulnerable driver blocklist
    • Blocked via Signer Cert via WDAC manually

    If you do not have HVCI enabled, you are likely missing driver blocks that you are supposed to be getting.

    In conversation about a month ago from infosec.exchange permalink
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.