How does the App Control Manager handle rules for logs that already have rules created for them? #700
Replies: 1 comment
-
|
Hi, AppControl Manager has deduplication mechanism, it's applied to every policy generated by it and also available to use in the Merge page where you can select a bunch of policies (or even the same policy) and deduplicate rules in them. The deduplication logic is based on the Code Integrity's schema and what's allowed by it. I'm assuming the 100 rules you created were deny rules. Now if you create allow rules for the same 100 files in the same policy that contains the deny rules then you will have 200 different rules because an allow rule is different than a deny rule and deduplication logic should never result in loss of any rule. The deduplication logic will only remove or merge rules that won't change the outcome of the policy or what it allows/blocks. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
First of all, I want to thank @HotCakeX for creating this amazing tool. It has been incredibly helpful for me and my colleagues when it comes to managing WDAC.
I have a question regarding duplicate rules.
Let’s say I have 100 logs from a Code Integrity EVTX file. I create rules for all of these logs, resulting in 100 hash rules being added to my policy.
Now, if I take this policy and run it in audit mode on another device that has the same applications installed, the auditing policy will still generate logs for those same 100 files. This happens even though rules already exist to allow them, simply because the policy is in audit mode. (The logs will show “allowed due to audit mode.” If the policy were in enforced mode, these allowed DLLs would not generate a log.)
Here’s my question:
When I review these logs again and select the same 100 entries to add to the XML, will those entries be skipped if all the properties of the file (e.g., hash, signer, etc.) are the same? Or will it create duplicate rules?
I’m assuming that if there’s even a slight difference—say, the file path is different but the DLL name is the same—it would result in a new rule being created. Is that correct?
Thanks
Beta Was this translation helpful? Give feedback.
All reactions