- May 31, 2017
- 1,742
We have considered replacing CyberLocks's Kernel Mode Driver with WDAC many times in the past, but every time we start researching this possibility, we immediately realize that WDAC is simply not flexible enough, and it would require removing tons of features that would negatively impact CyberLock's efficacy and usability.
Maybe I am missing something, and maybe WDAC is capable of creating sophisticated rules that make deny-by-default / zero-trust practical. It is my understanding that WDAC, at best, can create policies based on the process path, and is unable to evaluate the parent process or command line.
Here is an extremely simplified example...
1) All new processes are denied by default
2) Create a rule that will auto allow an event if the Parent Process is in the user space, and the Process is not a web or vulnerable app, and the Process sig matches the Parent Process sig.
if (IsUserSpaceProcess(ParentProcessPath) && !IsWebOrVulnerableApp(ProcessPath) && GetDigitalSignatureThumbprint(ProcessPath).equals(GetDigitalSignatureThumbprint(ParentProcessPath)))
{
allow = true;
}
How would you create a policy in WDAC to accomplish this?
How do you block LOLBins without blindy blocking the vulnerable file globally?
CyberLock has tons of rules like this that have been refined over the years, and it would be easy to port these rules to WDAC if it is flexible enough to create a policy that is able to implement these rules.
Maybe I am missing something, and maybe WDAC is capable of creating sophisticated rules that make deny-by-default / zero-trust practical. It is my understanding that WDAC, at best, can create policies based on the process path, and is unable to evaluate the parent process or command line.
Here is an extremely simplified example...
1) All new processes are denied by default
2) Create a rule that will auto allow an event if the Parent Process is in the user space, and the Process is not a web or vulnerable app, and the Process sig matches the Parent Process sig.
if (IsUserSpaceProcess(ParentProcessPath) && !IsWebOrVulnerableApp(ProcessPath) && GetDigitalSignatureThumbprint(ProcessPath).equals(GetDigitalSignatureThumbprint(ParentProcessPath)))
{
allow = true;
}
How would you create a policy in WDAC to accomplish this?
How do you block LOLBins without blindy blocking the vulnerable file globally?
CyberLock has tons of rules like this that have been refined over the years, and it would be easy to port these rules to WDAC if it is flexible enough to create a policy that is able to implement these rules.