Windows 10: -level hash with Windows Defender Application Control - can't get it working

Discus and support -level hash with Windows Defender Application Control - can't get it working in AntiVirus, Firewalls and System Security to solve the problem; Hi. I am trying to to get Windows defender Application Control working via hash rules. We are using WDAC as we don't have win10 enterprise i know,... Discussion in 'AntiVirus, Firewalls and System Security' started by Daniel James daniel.james, Jan 30, 2020.

  1. -level hash with Windows Defender Application Control - can't get it working


    Hi.


    I am trying to to get Windows defender Application Control working via hash rules. We are using WDAC as we don't have win10 enterprise i know, we should...


    I have got WDAC working, my policy allows all Microsoft apps and anything in c:\windows\ c:\program files and c:\program files x86. I am also happy getting apps to work via publisher however I just can't get it working by file hash alone.


    I am running:


    new-cipolicy -level hash -scanpath 'c:\source\' -filepath puttyhash.xml


    which appears to create a blank policy? see bottom of this message. Converting this policy to binary seems to result in windows defender being switched off, no logs appear in event viewer -> application and service logs -> microsoft -> windows -> code integrity -> operational for any .exe's


    Switching option 3 off and re-converting stops the machine from booting so i don't understand the lack of logs...


    Merging this to my normal policy and then switching option 3 off doesn't seem to have any affect on behavior, I still can't run putty.exe I get the 'Your , except from file paths I have allowed.


    using new-cipolicy -level publisher -scanpath 'c:\source\' -filepath puttyhash.xml and then merging/converting does seem to work.


    What am I doing wrong? Does hash only work as a fallback when a file doesn't have a publisher?


    Thanks.



    Created hash policy:



    <?xml version="1.0" encoding="utf-8"?>

    <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">

    <VersionEx>10.0.0.0</VersionEx>

    <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>

    <Rules>

    <Rule>

    <Option>Enabled:Unsigned System Integrity Policy</Option>

    </Rule>

    <Rule>

    <Option>Enabled:Audit Mode</Option>

    </Rule>

    <Rule>

    <Option>Enabled:Advanced Boot Options Menu</Option>

    </Rule>

    <Rule>

    <Option>Required:Enforce Store Applications</Option>

    </Rule>

    </Rules>

    <!--EKUS-->

    <EKUs />

    <!--File Rules-->

    <FileRules />

    <!--Signers-->

    <Signers />

    <!--Driver Signing Scenarios-->

    <SigningScenarios>

    <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 01-30-2020">

    <ProductSigners />

    </SigningScenario>

    <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 01-30-2020">

    <ProductSigners />

    </SigningScenario>

    </SigningScenarios>

    <UpdatePolicySigners />

    <CiSigners />

    <HvciOptions>0</HvciOptions>

    <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>

    </SiPolicy>

    :)
     
    Daniel James daniel.james, Jan 30, 2020
    #1
  2. Brink Win User

    Windows Defender Application Control enhancements in Windows 10 v1903

    Source: https://www.microsoft.com/security/b...y-2019-update/
     
    Brink, Jan 30, 2020
    #2
  3. Brink Win User
    Windows Defender Application Control enhancements in Windows 10 v1903

    Source: https://www.microsoft.com/security/b...y-2019-update/
     
    Brink, Jan 30, 2020
    #3
  4. Brink Win User

    -level hash with Windows Defender Application Control - can't get it working

    OneNote REST API now supports application-level permissions


    Source: The OneNote REST API now supports application-level permissions - Office Blogs
     
    Brink, Jan 30, 2020
    #4
Thema:

-level hash with Windows Defender Application Control - can't get it working

Loading...
  1. -level hash with Windows Defender Application Control - can't get it working - Similar Threads - level hash Defender

  2. Disable Windows Defender Application Control on Windows 10 Home

    in Windows 10 Gaming
    Disable Windows Defender Application Control on Windows 10 Home: I have a Windows 10 Home 22H2 machine in my workshop that somehow has had Windows Defender Application Control enabled and set to prevent anything from running regedit, mmc, taskmanager, cmd, powershell, anything that wants Elevation etc.I've restarted the machine in Safemode...
  3. Windows defender application control blocking apps

    in Windows 10 Gaming
    Windows defender application control blocking apps: My applications are being blocked by Windows Defender Application Control and I can't seem to turn it off. I've checked Intune policies, Group Policy, RegEdit and they are have PUA disabled, but I still can't open apps that I used to able to use....
  4. Windows defender application control blocking apps

    in Windows 10 Software and Apps
    Windows defender application control blocking apps: My applications are being blocked by Windows Defender Application Control and I can't seem to turn it off. I've checked Intune policies, Group Policy, RegEdit and they are have PUA disabled, but I still can't open apps that I used to able to use....
  5. Windows defender application control blocking apps

    in Windows 10 Customization
    Windows defender application control blocking apps: My applications are being blocked by Windows Defender Application Control and I can't seem to turn it off. I've checked Intune policies, Group Policy, RegEdit and they are have PUA disabled, but I still can't open apps that I used to able to use....
  6. Microsoft Defender Endpoint Application Control

    in AntiVirus, Firewalls and System Security
    Microsoft Defender Endpoint Application Control: Hi all,I would like to find out if MDE application control is capable of the following:-Monitoring of process launch attempts Can processes be blockCan processes be defined by fingerprint/hash Process exclusion based on argument regex string File read/create/delete/write...
  7. Implementation of Windows Defender Application Control on Windows 10 Pro

    in Windows 10 Software and Apps
    Implementation of Windows Defender Application Control on Windows 10 Pro: HI Microsoft Team, Is it possible to block built-in apps like Xbox, Cortana, Skype, Mail, Microsoft Edge, Calendar, Calculator, Connect, etc., by using Windows Defender Application Control WDAC policy in Windows 10 Pro? If Yes, please guide us in simply way to implement...
  8. CAN'T GET WINDOWS DEFENDER TO WORK

    in AntiVirus, Firewalls and System Security
    CAN'T GET WINDOWS DEFENDER TO WORK: I have MacAfee running on my computer and I need to remove it because it is not allowing me to run Windows Defender. Is there any way to remove it and is there a way to run a scan on my computer because I feel like there is a virus on it. It has been running EXTREMELY slow...
  9. Windows Defender Application Control Security Vulnerability

    in Windows 10 News
    Windows Defender Application Control Security Vulnerability: A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement. An attacker who successfully exploited this vulnerability could circumvent PowerShell Core Constrained Language Mode on the...
  10. Windows Defender Application Control enhancements in Windows 10 v1903

    in Windows 10 News
    Windows Defender Application Control enhancements in Windows 10 v1903: With the Windows 10 May 2019 Update we delivered several important features for Windows Defender Application Control (WDAC), which was originally introduced to Windows as part of a scenario called Device Guard. WDAC works in conjunction with features like Windows Defender...

Users found this page by searching for:

  1. wdac script enforcement

    ,
  2. what is page hash in wdac