Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114111577516726896">Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:15 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114110962209153447" rel="in-reply-to">in reply to</a></div></section><article><p>Further investigation of the endpoint's driver blocklist being out of sync with the online one:</p><p>If count Authentihash, filename/version, and code signer entries, a February-2025-patched Win11 box has 1818 entries, while the online Microsoft recommended driver block rules list has 1906. The fact that the online list is more up to date than a thing that gets pushed out on Patch Tuesday is expected, right?</p><p>Wouldn't we be so lucky.</p><p>If we compare the online driver blocklist vs. the blocklist on fully patched Win11 endpoints and ignore the entries added in December 2024 (which are presumably not present because they're too new) we can break down the missing hashes:<br>Authentihash:<br>9 are 2 years old<br>3 are 1.8 years old<br>Signer:<br>3 are 2.4 years old</p><p>I'm only comfortable with one of those entries not (yet) being on Windows endpoints. What is the excuse for the rest? If Microsoft is going to maintain two different driver block lists (why?), perhaps it would be wise to do a good job of it? You know, to maybe check that they're in sync?  🤦♂️</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4828178#notice-9456049">In conversation</a><time datetime="2025-04-02T03:02:15+09:00" title="Wednesday, 02-Apr-2025 03:02:15 JST">about 4 days ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114111577516726896" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114111577516726896">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4399362">Missing by hash:
* 2DC771BED765E9FE8E79171A851BA158B8E84034FE0518A619F47F3450FFA2BC (Age: 2.0 years)
* 3B05785D8AD770E4356BC8041606B08BDAB56C99 (Age: 2.0 years)
* 478C36F8AF7844A80E24C1822507BEEF6314519185717EC7AE224A0E04B2F330 (Age: 2.0 years)
* 4A68C2D7A4C471E062A32C83A36EEDB45A619683 (Age: 2.0 years)
* 606BECED7746CDB684D3A44F41E48713C6BBE5BFB1486C52B5CCA815E99D31B4 (Age: 2.0 years)
* 6279821BF9ECCED596F474C8FC547DAB0BDDBB3AB972390596BD4C5C7B85C685 (Age: 2.0 years)
* 84152FA241C3808F8C7752964589C957E440403F (Age: 2.0 years)
* 8498265D4CA81B83EC1454D9EC013D7A9C0C87BF (Age: 2.0 years)
* 9E504DB591D321F1F8CEA62A5A111DA0EFB26447 (Age: 1.8 years)
* A7CE1394D10DCFDE7B8A1C90667826DA68933673 (Age: 1.8 years)
* A807532037A3549AE3E046F183D782BCB78B6193163EA448098140563CF857CB (Age: 2.0 years)
* BEDC7276543DAAFC11D44F5F603F8AA48C61837F7C4C9446F10FA522F3275D17 (Age: 1.8 years)Missing by signer:
* 15C37DBEBE6FCC77108E3D7AD982676D3D5E77F7 (Age: 2.4 years)
* 80854F578E2A3B5552EA839BA4F98DDFE94B2381 (Age: 2.4 years)
* F049A238763D4A90B148AB10A500F96EBF1DC436 (Age: 2.4 years)</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/139/293/858/026/624/original/7b48c8a7727507aa.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/139/293/858/026/624/original/7b48c8a7727507aa.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:15 JST Will Dormann
in reply to
Further investigation of the endpoint's driver blocklist being out of sync with the online one:
If count Authentihash, filename/version, and code signer entries, a February-2025-patched Win11 box has 1818 entries, while the online Microsoft recommended driver block rules list has 1906. The fact that the online list is more up to date than a thing that gets pushed out on Patch Tuesday is expected, right?
Wouldn't we be so lucky.
If we compare the online driver blocklist vs. the blocklist on fully patched Win11 endpoints and ignore the entries added in December 2024 (which are presumably not present because they're too new) we can break down the missing hashes:
Authentihash:
9 are 2 years old
3 are 1.8 years old
Signer:
3 are 2.4 years old
I'm only comfortable with one of those entries not (yet) being on Windows endpoints. What is the excuse for the rest? If Microsoft is going to maintain two different driver block lists (why?), perhaps it would be wise to do a good job of it? You know, to maybe check that they're in sync? 🤦♂️
In conversationabout 4 days ago from infosec.exchangepermalink
Attachments
1. Missing by hash: * 2DC771BED765E9FE8E79171A851BA158B8E84034FE0518A619F47F3450FFA2BC (Age: 2.0 years) * 3B05785D8AD770E4356BC8041606B08BDAB56C99 (Age: 2.0 years) * 478C36F8AF7844A80E24C1822507BEEF6314519185717EC7AE224A0E04B2F330 (Age: 2.0 years) * 4A68C2D7A4C471E062A32C83A36EEDB45A619683 (Age: 2.0 years) * 606BECED7746CDB684D3A44F41E48713C6BBE5BFB1486C52B5CCA815E99D31B4 (Age: 2.0 years) * 6279821BF9ECCED596F474C8FC547DAB0BDDBB3AB972390596BD4C5C7B85C685 (Age: 2.0 years) * 84152FA241C3808F8C7752964589C957E440403F (Age: 2.0 years) * 8498265D4CA81B83EC1454D9EC013D7A9C0C87BF (Age: 2.0 years) * 9E504DB591D321F1F8CEA62A5A111DA0EFB26447 (Age: 1.8 years) * A7CE1394D10DCFDE7B8A1C90667826DA68933673 (Age: 1.8 years) * A807532037A3549AE3E046F183D782BCB78B6193163EA448098140563CF857CB (Age: 2.0 years) * BEDC7276543DAAFC11D44F5F603F8AA48C61837F7C4C9446F10FA522F3275D17 (Age: 1.8 years) Missing by signer: * 15C37DBEBE6FCC77108E3D7AD982676D3D5E77F7 (Age: 2.4 years) * 80854F578E2A3B5552EA839BA4F98DDFE94B2381 (Age: 2.4 years) * F049A238763D4A90B148AB10A500F96EBF1DC436 (Age: 2.4 years)
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/139/293/858/026/624/original/7b48c8a7727507aa.png

Public

Embed Notice

HTML Code

Corresponding Notice