Question Is "constrained language mode" a security feature or not?

[Andy Ful]

That is what I mean; to use WDAC only without SRP; WDAC will enforce CLM and abort most attacks without the need to SRP.
So I am appealing to add the option to apply CLM by WDAC in WHHL

In WHHLight, WDAC is configured to allow scripting (no CLM). The CLM and scripting protection are applied via SWH.

 

[Parkinsond]

In WHHLight, WDAC is configured to allow scripting (no CLM). The CLM and scripting protection are applied via SWH.

Why not to allow applying CLM through WDAC in WHHL; will be useful for those who prefer to enable WDAC only without SRP.

 

[Andy Ful]

Why not to allow applying CLM through WDAC in WHHL; will be useful for those who prefer to enable WDAC only without SRP.

It does not make sense. If you want to use only WDAC, do not use WHHLight.
You assume that WDAC alone (with CLM) can be an efficient and usable security solution. If I thought so, I would not use SWH in WHHLight.
The idea of WHHLight is kinda similar to SAC, but more flexible (SAC also does not restrict scripts via WDAC).

 

[Parkinsond]

SAC also does not restrict scripts via WDAC

An advantage for WDAC over SAC.
SRP is recommended for all who do not know which file types to avoid executing; I recommend using WHHL in full function for all who aks me.
But I already know those file types and I can avoid trying to execute without SRP holding my hand before I do; I only need WDAC to block dll hijacking which I cannot do.

 

[Andy Ful]

Parkinsond,

An advantage for WDAC over SAC.
SRP is recommended for all who do not know which file types to avoid executing; I recommend using WHHL in full function for all who aks me.
But I already know those file types and I can avoid trying to execute without SRP holding my hand before I do; I only need WDAC to block dll hijacking which I cannot do.

OK. You can use WHHLight with disabled SWH.

 

[Parkinsond]

Parkinsond,



OK. You can use WHHLight with disabled SWH.

Then I lose CLM I need the script rule in WDAC of WHHL

 

[Andy Ful]

Then I lose CLM I need the script rule in WDAC of WHHL

You said you need protection only for DLL hijacking.

 

[Parkinsond]

You said you need protection only for DLL hijacking.

I'm greedy; I need also CLM in case something slipped past my cautious use.
In addition, SAC has no exclusions; I cannot install MPC-HC which installer was released more than 2 weeks ago.

 

[Andy Ful]

I'm greedy; I need also CLM in case something slipped past my cautious use.

PowerShell is only one of the popular LOLBins. If you will not apply the convenient SWH (which allows whitelisting), you must block popular LOLBins. This can be done via WDAC (but very inconvenient at home). I think that you can seek something similar to CyberLock.

 

[Parkinsond]

This can be done via WDAC (but very inconvenient at home)

It is incovenient indeed, bu WHHL has made it a piece of cake.
I can create WDAC policy using the wizard and apply it manually, modify, and add exclusions, but I never recommend this approach to average users; WHHL should by acquired by MS and applied to home PCs.

 

[Andy Ful]

I'm greedy; I need also CLM in case something slipped past my cautious use.
In addition, SAC has no exclusions; I cannot install MPC-HC which installer was released more than 2 weeks ago.
View attachment 296420

There is a simple solution. Use another application that is properly signed.
Unfortunately, you cannot be conveniently safe if you want to install/use all the applications you currently like.
I am sure you can find and like a similar application that is allowed by SAC.

 

[Andy Ful]

I can create WDAC policy using the wizard and apply it manually, modify, and add exclusions, but I never recommend this approach to average users;

So do I.

 

[Parkinsond]

There is a simple solution. Use another application that is properly signed.
Unfortunately, you cannot be conveniently safe if you want to install/use all the applications you currently like.
I am sure you can find and like a similar application that is allowed by SAC.

Unfortunately, Media Player Classic, both Home Cinema or Black Edition, are the most efficient, light, and privacy-respecting media players available.
I easily bypass this by using the installer version released before the last (I'm using the one month old+ installer of the same app blocked by SAC).

There is a signed one called PotPlayer; efficient, but not as light, and keeps calling home (produced by ad-related Korean company).

Not all great apps are signed.

 

[Andy Ful]

Parkinsond,

At home, you can apply the __PSLockdown policy to apply CLM.

Unfortunately, Media Player Classic, both Home Cinema or Black Edition, are the most efficient, light, and privacy-respecting media players available.

There is a signed one called PotPlayer; efficient, but not as light, and keep calling home (produced by ad-related Korean company).

Not all great apps are signed.

I am fully satisfied with VLC.

 

[Parkinsond]

Parkinsond,

At home, you can apply the __PSLockdown policy to apply CLM.



I am fully satisfied with VLC.

Great sound (better than MPC) but image quality is subpar.

 

[Andy Ful]

Great sound (better than MPC) but image quality is subpar.

You can adjust the colors, etc. The image quality is decent on my PC. I use the desktop version (not the one from the Microsoft Store).

Best Video Players for PC That Enhance Video Quality - Techsive

Watching videos on a PC is a widespread activity, whether for work, leisure, or study.…

techsive.com