Serious Discussion Inside Microsoft's plan to kill PPLFault

Andy Ful said:
WDAC + ISG is smart deny-by-default in a similar meaning to CyberLock. It is not zero-trust, but it can be a part of Zero Trust Model in the meaning promoted by Microsoft:

Zero Trust Strategy & Architecture | Microsoft Security

Protect against modern threats with a Zero Trust security model powered by AI. Discover Zero Trust architecture and strategy today with Microsoft Security.
www.microsoft.com www.microsoft.com
Click to expand...
Hehehe, Andy, that is the EXACT verbiage that drives me absolutely insane ;).

WDAC + ISG is quite similar to CyberLock when it is OFF or on AutoPilot, and none of these configurations can possibly be part of a zero trust model, unless the model includes another blocking mechanism / layer that does not auto allow new, non-whitelisted items. ISG, WLC and VoodooAi are all highly effective, but they are not perfect.

ISG or WLC / VoodooAi are likely sufficient when the user is not engaging in risky activities, like browsing the web or checking email. But when the user is engaging in risky activities, auto allowing anything new is dangerous.
 
  • Like
  • +Reputation
Reactions: simmerskool and Andy Ful
I think that ISG or WLC / VoodooAi are sufficient when the home users browse the web or check email.
Such activities are well-tested by AV_Test, AV_Comparatives, and SE Labs.

For example, Microsoft Defender on default settings can miss approximately one malware per 250 samples.
When you add WDAC (ISG), WLC / VoodooAi, or even SAC, the chances are probably one infection per several thousand samples. Most users can see (at maximum) a few malware per year, so they should not worry about the infection, except when one would like to be Matuzalem. :)

A different situation is in enterprises when the machine can likely work in a compromised environment, and the attacker can know the details of the implemented security. WDAC can be configured with Hypervisor-protected Code Integrity, and the policies can be signed. Such protection is much more resistant to attacks via kernel compared to any security based on kernel driver.
 
Last edited:
  • Like
Reactions: kylprq, vtqhtr413 and simmerskool

You may also like...