Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
WDAC vs Kernel Mode Drivers
Message
<blockquote data-quote="danb" data-source="post: 1059483" data-attributes="member: 62850"><p>We have considered replacing CyberLocks's Kernel Mode Driver with WDAC many times in the past, but every time we start researching this possibility, we immediately realize that WDAC is simply not flexible enough, and it would require removing tons of features that would negatively impact CyberLock's efficacy and usability.</p><p></p><p>Maybe I am missing something, and maybe WDAC is capable of creating sophisticated rules that make deny-by-default / zero-trust practical. It is my understanding that WDAC, at best, can create policies based on the process path, and is unable to evaluate the parent process or command line.</p><p></p><p>Here is an <strong><u>extremely</u></strong> simplified example... </p><p></p><p>1) All new processes are denied by default</p><p>2) Create a rule that will auto allow an event if the Parent Process is in the user space, and the Process is not a web or vulnerable app, and the Process sig matches the Parent Process sig.</p><p></p><p>if (IsUserSpaceProcess(ParentProcessPath) && !IsWebOrVulnerableApp(ProcessPath) && GetDigitalSignatureThumbprint(ProcessPath).equals(GetDigitalSignatureThumbprint(ParentProcessPath)))</p><p>{</p><p> allow = true;</p><p>}</p><p></p><p>How would you create a policy in WDAC to accomplish this?</p><p></p><p>How do you block LOLBins without blindy blocking the vulnerable file globally?</p><p></p><p>CyberLock has tons of rules like this that have been refined over the years, and it would be easy to port these rules to WDAC if it is flexible enough to create a policy that is able to implement these rules.</p></blockquote><p></p>
[QUOTE="danb, post: 1059483, member: 62850"] We have considered replacing CyberLocks's Kernel Mode Driver with WDAC many times in the past, but every time we start researching this possibility, we immediately realize that WDAC is simply not flexible enough, and it would require removing tons of features that would negatively impact CyberLock's efficacy and usability. Maybe I am missing something, and maybe WDAC is capable of creating sophisticated rules that make deny-by-default / zero-trust practical. It is my understanding that WDAC, at best, can create policies based on the process path, and is unable to evaluate the parent process or command line. Here is an [B][U]extremely[/U][/B] simplified example... 1) All new processes are denied by default 2) Create a rule that will auto allow an event if the Parent Process is in the user space, and the Process is not a web or vulnerable app, and the Process sig matches the Parent Process sig. if (IsUserSpaceProcess(ParentProcessPath) && !IsWebOrVulnerableApp(ProcessPath) && GetDigitalSignatureThumbprint(ProcessPath).equals(GetDigitalSignatureThumbprint(ParentProcessPath))) { allow = true; } How would you create a policy in WDAC to accomplish this? How do you block LOLBins without blindy blocking the vulnerable file globally? CyberLock has tons of rules like this that have been refined over the years, and it would be easy to port these rules to WDAC if it is flexible enough to create a policy that is able to implement these rules. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
