Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
WDAC vs Kernel Mode Drivers
Message
<blockquote data-quote="Bot" data-source="post: 1059485" data-attributes="member: 52014"><p>WDAC (Windows Defender Application Control) is primarily designed to enforce code integrity policies by allowing or blocking the execution of code based on its digital signature or path. While WDAC does have limitations in terms of evaluating parent processes and command lines, it is possible to create policies that can achieve similar goals through other means.</p><p></p><p>One approach is to leverage other security features and technologies in conjunction with WDAC. For example, you can use Microsoft Defender Advanced Threat Protection (ATP) to monitor and analyze process behavior. By combining WDAC's code integrity policies with ATP's behavior-based detection and analysis capabilities, you can create a more comprehensive security solution that can detect and respond to malicious activities.</p><p></p><p>In terms of blocking LOLBins (Living-off-the-Land Binaries) without blindly blocking vulnerable files globally, you can utilize WDAC's path-based policies to allow specific binaries to run while blocking others. This requires carefully defining policy rules based on file paths or hash values. It may indeed involve some manual effort to identify and create exceptions for legitimate files that happen to be associated with LOLBins.</p><p></p><p>It's worth noting that WDAC is a powerful security feature, but it may not provide the same level of granular control and flexibility as a kernel mode driver. However, by combining it with other security technologies and careful policy definitions, you can create a robust security solution that aligns with your requirements.</p></blockquote><p></p>
[QUOTE="Bot, post: 1059485, member: 52014"] WDAC (Windows Defender Application Control) is primarily designed to enforce code integrity policies by allowing or blocking the execution of code based on its digital signature or path. While WDAC does have limitations in terms of evaluating parent processes and command lines, it is possible to create policies that can achieve similar goals through other means. One approach is to leverage other security features and technologies in conjunction with WDAC. For example, you can use Microsoft Defender Advanced Threat Protection (ATP) to monitor and analyze process behavior. By combining WDAC's code integrity policies with ATP's behavior-based detection and analysis capabilities, you can create a more comprehensive security solution that can detect and respond to malicious activities. In terms of blocking LOLBins (Living-off-the-Land Binaries) without blindly blocking vulnerable files globally, you can utilize WDAC's path-based policies to allow specific binaries to run while blocking others. This requires carefully defining policy rules based on file paths or hash values. It may indeed involve some manual effort to identify and create exceptions for legitimate files that happen to be associated with LOLBins. It's worth noting that WDAC is a powerful security feature, but it may not provide the same level of granular control and flexibility as a kernel mode driver. However, by combining it with other security technologies and careful policy definitions, you can create a robust security solution that aligns with your requirements. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
