Lenovo Vantage contains some add-ins that use PowerShell scripts. These add-ins will be blocked by the SWH option.A PowerShell script used by Lenovo Vantage.
WWHLight installed on the already infected computer.
If one suspects that the computer is infected, then applying WHHLight can help identify the malware. In such a case the user should run WHHLight, switch ON the WDAC, remove all entries from the WDAC Whitelist, and restart Windows. In most cases, the malware uses files dropped for persistence in the UserSpace. These files (EXE, DLL, scripts, etc.) will be blocked. The blocked events can be seen via the < Events > blue buttons in WHHLight.
Here are some examples:
Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk - Check Point ResearchResearch by: Golan Cohen Introduction Last seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infection chain. Previous Zloader campaigns, which were seen in 2020, used malicious documents, adult...research.checkpoint.com
THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your SystemsThis report provides unique insight into SocGholish and Zloader attacks and provides an overview of the common tactics and techniques in SocGholish infections...www.cybereason.com
If I toggle the top most slider to OFF, can I use my own SRP ? I like to forbid Powershell and cmd till I really need to use them.
... I need to disable their favorite Windows native tools as revealed by Comodo's OpenEDR.
2. Microsoft says WDAC works with any thrid-party security solution. Where did you read that when ISG enabled Microsoft Defender is required as AV?
My concerns are of different types:
- SWH + WDAC + ISG can be mostly reproduced by WHHLight (WDAC OFF) + ConfigureDefender (MAX)
ISG requires Microsoft Defender - WHHLight does not.
ISG will block many software auto-updates - WHHLight will not.
OkayI edited my post by removing points 2 and 3. They were based on false logic.
Although ISG requires MS Defender (as my test can suggest) to work properly, WDAC + ISG works the same as WHHLight when MS Defender is disabled (files are simply blocked if not whitelisted).
In the ISG setup, one can whitelist the same folders as in WHHLight and avoid blocking auto-updates.
Point 2 should look as follows:
ISG can work differently whether Defender is the primary AV or 3rd party AV is installed. WHHLight will work in the same way, no matter which AV is installed.
How did you tested ISG? Maybe it would help Andy Ful to see what is the difference between your/his results. //Edit for typo.Thanks for explaining how you tested ISG: but results differ so much from mine, could you repeat the test without Defender but with enabling the AppIDservice (as Microsoft advises).
With the AppIDservice enabled and explicit allow rules for Windows and ProgramFiles (also x86) folders in combination with H_C in SWH mode plus lolbins blocked (enhanced).Hot did you tested ISG? Maybe it would help Andy Ful to see what is the difference between yours/his results.
... could you repeat the test without Defender but with enabling the AppIDservice (as Microsoft advises).
With the AppIDservice enabled and explicit allow rules for Windows and ProgramFiles (also x86) folders in combination with H_C in SWH mode plus lolbins blocked (enhanced).
But I only tested around 10 programs, not as many as Andy.