GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

If HVCI is enabled, the once-working FilePath blocking rule stops working

Download link

https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/110/956/465/350/165/original/959227f089d938d2.png

Notices where this attachment appears

  1. Embed this notice
    Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:15 JST Will Dormann Will Dormann
    in reply to

    If we test with our own custom WDAC rules, we can confirm that all of the allowed properties to block by are indeed obeyed by Windows. Specifically:
    Hash, FileName, FilePath, SignedVersion, PFN, Publisher, FilePublisher, LeafCertificate, PcaCertificate, RootCertificate, WHQL, WHQLPublisher, WHQLFilePublisher

    When we test these blocking techniques individually, they all seem to work fine. Including blocking by signing cert (FilePublisher). So this suggests that WDAC blocking by signing cert is not broken, but rather there's something broken about the Microsoft recommended driver block rules list when it's not enforced by HVCI.

    However, in the process of testing individual blocking techniques, I've discovered a third vulnerability. On a system that is successfully using the FilePath WDAC blocking directive, if I enable HVCI, that block will suddenly stop blocking.

    That is, while turning on HVCI is a wise move across the board, this is a specific case where having HVCI enabled is ironically less secure than having it off. The Microsoft recommended driver block rules doesn't have any entries based on FilePath, so this block list is unaffected by this problem. But surely there's somebody out there with FilePath block rules that is unknowingly missing protection on systems with HVCI enabled.

    To eliminate variables, I got these screenshots by starting with a system that has a working FilePath WDAC block enabled, and simply enabled HVCI on that same system. The mere act of enabling HVCI on a system causes a working FilePath rule to stop working.

    It truly is bugs all the way down, but just to summarize what we've discovered after pulling a thread about blocked drivers not being blocked:

    1. If HVCI is off, then the Microsoft recommended driver block rules list will not block any entries that are present based on signing certificate (FilePublisher)
    2. The driver block list that you get by enabling the "Microsoft Vulnerable Driver Blocklist" feature in windows is not merely delayed (Microsoft reports that it's updated 1-2 times per year) from the public list, but more importantly it's a different list that you get. (Further investigation in how it differs is required)
    3. If HVCI is on, any FilePath-based blocks will be ignored.
    In conversation about 4 days ago from infosec.exchange permalink
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.