Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114116326272593743">Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:15 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114116278137706590" rel="in-reply-to">in reply to</a></div></section><article><p>So, based on our BSOD, we can conclude that non-HVCI WDAC driver blocking based on signer does work. But didn't I say earlier that it does not?</p><p>I'm glad you're paying attention. Yes, based on this test we can conclude that WDAC driver blocking based on signer does indeed work. But blocking based solely on signer never really happens in the real world, since it's important for Windows to be able to boot.  So in the real world we have blocking by signer with FileAttrib qualifiers.</p><p>This is what's broken with non-HVCI attempts to block things based on signer. (Publisher and friends)</p><p>Without a FileAttrib qualifier, Windows will BSOD, thus proving that WDAC is effective in blocking drivers by signer. However, with a FileAttrib qualifier, Windows without HVCI won't bother blocking anything by signer.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4828178#notice-9456051">In conversation</a><time datetime="2025-04-02T03:02:15+09:00" title="Wednesday, 02-Apr-2025 03:02:15 JST">about a month ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114116326272593743" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114116326272593743">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4399367">HVCI is off
Truesight driver is supposed to be blocked by signer, but it is not. (The driver runs fine)</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/116/324/199/714/008/original/68844926884a13a5.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/116/324/199/714/008/original/68844926884a13a5.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4399368">Diff of WDAC block list.
One will BSOD Windows because it has no FileAttrib restrictions on Microsoft Windows Third Party Component CA 2012 signer.
The other will NOT BSOD Windows because it has FileAttrib restrictions on Microsoft Windows Third Party Component CA 2012 signer. But it also will not block the driver unless HVCI is on.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/117/468/366/710/281/original/0dd79c9b462e187d.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/117/468/366/710/281/original/0dd79c9b462e187d.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:15 JST Will Dormann
in reply to
So, based on our BSOD, we can conclude that non-HVCI WDAC driver blocking based on signer does work. But didn't I say earlier that it does not?
I'm glad you're paying attention. Yes, based on this test we can conclude that WDAC driver blocking based on signer does indeed work. But blocking based solely on signer never really happens in the real world, since it's important for Windows to be able to boot. So in the real world we have blocking by signer with FileAttrib qualifiers.
This is what's broken with non-HVCI attempts to block things based on signer. (Publisher and friends)
Without a FileAttrib qualifier, Windows will BSOD, thus proving that WDAC is effective in blocking drivers by signer. However, with a FileAttrib qualifier, Windows without HVCI won't bother blocking anything by signer.
In conversationabout a month ago from infosec.exchangepermalink
Attachments
1. HVCI is off Truesight driver is supposed to be blocked by signer, but it is not. (The driver runs fine)
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/116/324/199/714/008/original/68844926884a13a5.png
2. Diff of WDAC block list. One will BSOD Windows because it has no FileAttrib restrictions on Microsoft Windows Third Party Component CA 2012 signer. The other will NOT BSOD Windows because it has FileAttrib restrictions on Microsoft Windows Third Party Component CA 2012 signer. But it also will not block the driver unless HVCI is on.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/117/468/366/710/281/original/0dd79c9b462e187d.png

Public

Embed Notice

HTML Code

Corresponding Notice