Diff of WDAC block list. One will BSOD Windows because it has no FileAttrib restrictions on Microsoft Windows Third Party Component CA 2012 signer. The other will NOT BSOD Windows because it has FileAttrib restrictions on Microsoft Windows Third Party Component CA 2012 signer. But it also will not block the driver unless HVCI is on.

Notices where this attachment appears

1. Embed this notice
   Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:15 JST Will Dormann

   in reply to

   So, based on our BSOD, we can conclude that non-HVCI WDAC driver blocking based on signer does work. But didn't I say earlier that it does not?

   I'm glad you're paying attention. Yes, based on this test we can conclude that WDAC driver blocking based on signer does indeed work. But blocking based solely on signer never really happens in the real world, since it's important for Windows to be able to boot. So in the real world we have blocking by signer with FileAttrib qualifiers.

   This is what's broken with non-HVCI attempts to block things based on signer. (Publisher and friends)

   Without a FileAttrib qualifier, Windows will BSOD, thus proving that WDAC is effective in blocking drivers by signer. However, with a FileAttrib qualifier, Windows without HVCI won't bother blocking anything by signer.