Replies: 1 comment
-
|
Hi, thank you! When creating deny rules, you have to be as specific as possible, that means using FilePublisher or Hash levels for signed and unsigned files respectively. 3rd party programs can be using Microsoft signed DLLs too so even if you use the FilePublisher rule, you could end up blocking a file that is used by other programs. What you need to do is to fine tune the policy in the Policy Editor: https://github.com/HotCakeX/Harden-Windows-Security/wiki/PolicyEditor It will show you which signers or files are in a policy. Also App Control is naturally suitable for Allow Listing and not Blocklisting. Blocklisting is rarely used in certain scenarios such as Microsoft recommended user/kernel mode block rules. If for example the goal is to block one browser then there are 100 more out there, or if the goal is blocking one or two image viewer program then 1000 more are out there. Blocklisting is what the traditional antivirus or EDRs have been doing and haven't been very successful. Hope that helps. Levels are explained here: https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Rule-Levels-Comparison-and-Guide Deny policy creation: https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-an-App-Control-Deny-Policy https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
Congratulations for your work. Its amazing.
I want to create a deny rule for an application. For example Chrome. I go to the application and i scan the directory of Chrome.
However here i get some microsoft redistributables blocked because they are included in the directory that results in many dll files blocked from other softwares too. How can i exclude microsoft signed files? If i click scan and deploy them i am done.
Beta Was this translation helpful? Give feedback.
All reactions