Windows BSOD due to failure to load vsock.sys What happens if you block signer without FileAttrib qualifiers
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/116/266/858/885/142/original/220fc1842efaaba9.png
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/116/266/858/885/142/original/220fc1842efaaba9.png
Notices where this attachment appears
-
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:15 JST 
Will Dormann
If we think that WDAC individual block list rules work OK, but the Microsoft recommended driver block rules do not work on HVCI-disabled system, how can that be?
The MS list, despite listing blocked signers, also uses a FileAttrib qualifier for the signer being blocked. In the case of the Truesight driver I'm using for testing, the MS blocklist specifies a "FileNameand aMaximumFileVersion` property that is required for the block to take place.
Why is this done? If you simply use WDAC to block a file by it's signer, you'll have a lot of collateral damage.
That nasty driver you want to block? It also has signers that are legit. For example, Microsoft Windows Hardware Compatibility Publisher. 😀
What happens if we just attempt to block this Truesight driver based on its signer without using such qualifiers? Windows won't boot. Why? Well, this vsock.sys driver shares a signer with the bad Truesight driver. Therefore, without a precise block list, the driver will fail to load because the important driver is blocked.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.