Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114116530076524652">Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:14 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114116326272593743" rel="in-reply-to">in reply to</a></div></section><article><p>But what about with HVCI on? Does turning HVCI on now make FileAttrib qualifiers work for block lists?</p><p>Wouldn't it be so easy? On the upside, blocking by signer with FileAttrib qualifiers works.</p><p>On the confusing side, the FileName qualifier is seemingly not enforced in a way that makes sense.</p><p>That is, I can make a copy of the Truesight driver and give it a completely different name (bysigner in my case), and it's still blocked by "Device Guard". I cannot fathom why/how this is the case. Other than HVCI-enabled systems having an altogether different blocklist than non-HVCI systems?</p><p>But as it is, DeniedSigner blocking with an associated FileAttrib qualifier is currently broken in Windows. In the case of non-HVCI systems, drivers are allowed that should be blocked. And in the case of HVCI systems, drivers are blocked that should probably be allowed.</p><p>I think I've reached my limit as to what my poor brain can grok with all of this. But all 3 bugs (vulnerabilities, IMO) are in Microsoft's hands, so we'll see how they sort it out.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4828178#notice-9456052">In conversation</a><time datetime="2025-04-02T03:02:14+09:00" title="Wednesday, 02-Apr-2025 03:02:14 JST">about 9 days ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114116530076524652" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114116530076524652">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4399369">HVCI on
Driver named Truesight is blocked.
But a driver with a completely different filename is blocked, despite the block list specifying FileName="TrueSight"</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/116/452/721/513/734/original/91ed994def1d02ed.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/116/452/721/513/734/original/91ed994def1d02ed.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:14 JST Will Dormann
in reply to
But what about with HVCI on? Does turning HVCI on now make FileAttrib qualifiers work for block lists?
Wouldn't it be so easy? On the upside, blocking by signer with FileAttrib qualifiers works.
On the confusing side, the FileName qualifier is seemingly not enforced in a way that makes sense.
That is, I can make a copy of the Truesight driver and give it a completely different name (bysigner in my case), and it's still blocked by "Device Guard". I cannot fathom why/how this is the case. Other than HVCI-enabled systems having an altogether different blocklist than non-HVCI systems?
But as it is, DeniedSigner blocking with an associated FileAttrib qualifier is currently broken in Windows. In the case of non-HVCI systems, drivers are allowed that should be blocked. And in the case of HVCI systems, drivers are blocked that should probably be allowed.
I think I've reached my limit as to what my poor brain can grok with all of this. But all 3 bugs (vulnerabilities, IMO) are in Microsoft's hands, so we'll see how they sort it out.
In conversationabout 9 days ago from infosec.exchangepermalink
Attachments
1. HVCI on Driver named Truesight is blocked. But a driver with a completely different filename is blocked, despite the block list specifying FileName="TrueSight"
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/116/452/721/513/734/original/91ed994def1d02ed.png

Public

Embed Notice

HTML Code

Corresponding Notice