HVCI on Driver named Truesight is blocked. But a driver with a completely different filename is blocked, despite the block list specifying FileName="TrueSight"

Notices where this attachment appears

1. Embed this notice
   Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:14 JST Will Dormann

   in reply to

   But what about with HVCI on? Does turning HVCI on now make FileAttrib qualifiers work for block lists?

   Wouldn't it be so easy? On the upside, blocking by signer with FileAttrib qualifiers works.

   On the confusing side, the FileName qualifier is seemingly not enforced in a way that makes sense.

   That is, I can make a copy of the Truesight driver and give it a completely different name (bysigner in my case), and it's still blocked by "Device Guard". I cannot fathom why/how this is the case. Other than HVCI-enabled systems having an altogether different blocklist than non-HVCI systems?

   But as it is, DeniedSigner blocking with an associated FileAttrib qualifier is currently broken in Windows. In the case of non-HVCI systems, drivers are allowed that should be blocked. And in the case of HVCI systems, drivers are blocked that should probably be allowed.

   I think I've reached my limit as to what my poor brain can grok with all of this. But all 3 bugs (vulnerabilities, IMO) are in Microsoft's hands, so we'll see how they sort it out.