Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Setup
PC Setup Configuration Help & Showcase
WhiteMouse's Security Config 2023
Message
<blockquote data-quote="WhiteMouse" data-source="post: 1004923" data-attributes="member: 61163"><p> <ol> <li data-xf-list-type="ol">First, go to "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\", you'll see a file called "DefaultWindows_Enforced.xml", copy that file to Downloads folder.<br /> <br /> </li> <li data-xf-list-type="ol">Go to "<a href="https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules" target="_blank">Microsoft recommended block rules - Windows security</a>", scroll down until you see purple note, click "Expand this section to see the WDAC policy XML" and then click on the Copy button at the top right.<br /> [ATTACH=full]269472[/ATTACH]<br /> <br /> Create a new text file and paste to it, save the file as "MicrosoftRecommendedBlockRules.xml"<br /> <br /> </li> <li data-xf-list-type="ol">Open Terminal (Administrator), change directory to Downloads using "cd .\Downloads\" and create a new policy for Program Files and Program Files (x86) using New-CIPolicy:<br /> <span style="color: rgb(41, 105, 176)">New-CIPolicy</span> <span style="color: rgb(0, 168, 133)">-ScanPath</span> 'C:\Program Files' <span style="color: rgb(0, 168, 133)">-UserPEs -FilePath</span> ".\ProgramFiles.xml" <span style="color: rgb(0, 168, 133)">-Level</span> Publisher <span style="color: rgb(0, 168, 133)">-Fallback</span> Hash<br /> <span style="color: rgb(41, 105, 176)">New-CIPolicy</span> <span style="color: rgb(0, 168, 133)">-ScanPath</span> 'C:\Program Files (x86)' <span style="color: rgb(0, 168, 133)">-UserPEs -FilePath</span> ".\ProgramFilesx86.xml" <span style="color: rgb(0, 168, 133)">-Level</span> Publisher <span style="color: rgb(0, 168, 133)">-Fallback</span> Hash<br /> <br /> </li> <li data-xf-list-type="ol">Then merge all of those .xml into 1 .xml file:<br /> <span style="color: rgb(41, 105, 176)">Merge-CIPolicy</span> <span style="color: rgb(0, 168, 133)">-PolicyPaths</span> '.\DefaultWindows_Enforced.xml','.\MicrosoftRecommendedBlockRules.xml' <span style="color: rgb(0, 168, 133)">-OutputFilePath</span> '.\MergedPolicy.xml'<br /> <span style="color: rgb(41, 105, 176)">Merge-CIPolicy</span> <span style="color: rgb(0, 168, 133)">-PolicyPaths</span> '.\MergedPolicy.xml','.\ProgramFiles.xml' <span style="color: rgb(0, 168, 133)">-OutputFilePath</span> '.\MergedPolicy2.xml'<br /> <span style="color: rgb(41, 105, 176)">Merge-CIPolicy</span> <span style="color: rgb(0, 168, 133)">-PolicyPaths</span> '.\MergedPolicy2.xml','.\ProgramFilesx86.xml' <span style="color: rgb(0, 168, 133)">-OutputFilePath</span> '.\MergedPolicy3.xml'<br /> <br /> </li> <li data-xf-list-type="ol">Go to "<a href="https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create" target="_blank">Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows) - Windows security</a>", there's a list of policy rules (from 0 to 20) that you can add to your .xml file, use these command to add or remove policy rule:<br /> <span style="color: rgb(41, 105, 176)">Set-RuleOption</span> <span style="color: rgb(0, 168, 133)">-FilePath</span> <Path to policy XML> <span style="color: rgb(0, 168, 133)">-Option</span> <number><br /> <span style="color: rgb(41, 105, 176)">Set-RuleOption</span> <span style="color: rgb(0, 168, 133)">-FilePath</span> <Path to policy XML> <span style="color: rgb(0, 168, 133)">-Option</span> <number> <span style="color: rgb(0, 168, 133)">-Delete</span><br /> <br /> I use number 0, 2, 4, 6, 12, 19, 20 and remove everything else. You can use Notepad to open .xml file to see what policy rule is already there and what is missing.<br /> <br /> </li> <li data-xf-list-type="ol">Set HVCI to either enabled mode or strict mode:<br /> <span style="color: rgb(44, 130, 201)">Set-HVCIOptions</span> <span style="color: rgb(0, 168, 133)">-Enabled -FilePath</span> <Path to policy XML><br /> <span style="color: rgb(41, 105, 176)">Set-HVCIOptions</span> <span style="color: rgb(0, 168, 133)">-Strict -FilePath</span> <Path to policy XML><br /> <br /> </li> <li data-xf-list-type="ol">Convert policy into binary file:<br /> <span style="color: rgb(41, 105, 176)">ConvertFrom-CIPolicy</span> <span style="color: rgb(0, 168, 133)">-XmlFilePath</span> <Path to policy XML> <span style="color: rgb(0, 168, 133)">-BinaryFilePath</span> "<Policy name>.cip"<br /> Open .xml file and scroll to the end you'll see this line: <PolicyID>{A6D7FBBF-9F6B-4072-BF37-693741E1D745}</PolicyID> (the ID here is just an example, your will be different)<br /> Rename your .cip file to "{Insert your policy ID here}.cip" with {} bracket.<br /> <br /> </li> <li data-xf-list-type="ol">Finally, copy your .cip file to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" and reboot your computer.</li> </ol><p>Note: There's a chance that after you did all of those things above, there're still some files get blocked by WDAC, here is the thing that could happen and solution:</p><ul> <li data-xf-list-type="ul">Some files has a digital signature but got revoked (rarely happened): copy all those files into one folder, use <span style="color: rgb(41, 105, 176)">New-CIPolicy</span> to scan that folder with <span style="color: rgb(0, 168, 133)">-Level</span> Hash, no need to <span style="color: rgb(0, 168, 133)">-Fallbac</span>k, after that open .xml with Notepad, use Ctrl + F to find those files and replace the path of the temp folder where you scan it with path of the orginal folder where the file located</li> <li data-xf-list-type="ul">Drivers get blocked because it's not WHQL signed: <span style="color: rgb(41, 105, 176)">Set-RuleOption</span> <span style="color: rgb(0, 168, 133)">-FilePath</span> <Path to policy XML> <span style="color: rgb(0, 168, 133)">-Option</span> 2 <span style="color: rgb(0, 168, 133)">-Delete</span></li> <li data-xf-list-type="ul">Files get blocked because it's not in Program Files and Program Files (x86): this shouldn't happen (at least on my computer it's not), but if it's happen, copy those files to one folder and use <span style="color: rgb(41, 105, 176)">New-CIPolicy</span> to scan that folder with <span style="color: rgb(0, 168, 133)">-Level</span> Publisher <span style="color: rgb(0, 168, 133)">-Fallback</span><span style="color: rgb(0, 0, 0)"> Hash</span></li> </ul></blockquote><p></p>
[QUOTE="WhiteMouse, post: 1004923, member: 61163"] [LIST=1] [*]First, go to "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\", you'll see a file called "DefaultWindows_Enforced.xml", copy that file to Downloads folder. [*]Go to "[URL='https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules']Microsoft recommended block rules - Windows security[/URL]", scroll down until you see purple note, click "Expand this section to see the WDAC policy XML" and then click on the Copy button at the top right. [ATTACH type="full" alt="5493574395.png"]269472[/ATTACH] Create a new text file and paste to it, save the file as "MicrosoftRecommendedBlockRules.xml" [*]Open Terminal (Administrator), change directory to Downloads using "cd .\Downloads\" and create a new policy for Program Files and Program Files (x86) using New-CIPolicy: [COLOR=rgb(41, 105, 176)]New-CIPolicy[/COLOR] [COLOR=rgb(0, 168, 133)]-ScanPath[/COLOR] 'C:\Program Files' [COLOR=rgb(0, 168, 133)]-UserPEs -FilePath[/COLOR] ".\ProgramFiles.xml" [COLOR=rgb(0, 168, 133)]-Level[/COLOR] Publisher [COLOR=rgb(0, 168, 133)]-Fallback[/COLOR] Hash [COLOR=rgb(41, 105, 176)]New-CIPolicy[/COLOR] [COLOR=rgb(0, 168, 133)]-ScanPath[/COLOR] 'C:\Program Files (x86)' [COLOR=rgb(0, 168, 133)]-UserPEs -FilePath[/COLOR] ".\ProgramFilesx86.xml" [COLOR=rgb(0, 168, 133)]-Level[/COLOR] Publisher [COLOR=rgb(0, 168, 133)]-Fallback[/COLOR] Hash [*]Then merge all of those .xml into 1 .xml file: [COLOR=rgb(41, 105, 176)]Merge-CIPolicy[/COLOR] [COLOR=rgb(0, 168, 133)]-PolicyPaths[/COLOR] '.\DefaultWindows_Enforced.xml','.\MicrosoftRecommendedBlockRules.xml' [COLOR=rgb(0, 168, 133)]-OutputFilePath[/COLOR] '.\MergedPolicy.xml' [COLOR=rgb(41, 105, 176)]Merge-CIPolicy[/COLOR] [COLOR=rgb(0, 168, 133)]-PolicyPaths[/COLOR] '.\MergedPolicy.xml','.\ProgramFiles.xml' [COLOR=rgb(0, 168, 133)]-OutputFilePath[/COLOR] '.\MergedPolicy2.xml' [COLOR=rgb(41, 105, 176)]Merge-CIPolicy[/COLOR] [COLOR=rgb(0, 168, 133)]-PolicyPaths[/COLOR] '.\MergedPolicy2.xml','.\ProgramFilesx86.xml' [COLOR=rgb(0, 168, 133)]-OutputFilePath[/COLOR] '.\MergedPolicy3.xml' [*]Go to "[URL='https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create']Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows) - Windows security[/URL]", there's a list of policy rules (from 0 to 20) that you can add to your .xml file, use these command to add or remove policy rule: [COLOR=rgb(41, 105, 176)]Set-RuleOption[/COLOR] [COLOR=rgb(0, 168, 133)]-FilePath[/COLOR] <Path to policy XML> [COLOR=rgb(0, 168, 133)]-Option[/COLOR] <number> [COLOR=rgb(41, 105, 176)]Set-RuleOption[/COLOR] [COLOR=rgb(0, 168, 133)]-FilePath[/COLOR] <Path to policy XML> [COLOR=rgb(0, 168, 133)]-Option[/COLOR] <number> [COLOR=rgb(0, 168, 133)]-Delete[/COLOR] I use number 0, 2, 4, 6, 12, 19, 20 and remove everything else. You can use Notepad to open .xml file to see what policy rule is already there and what is missing. [*]Set HVCI to either enabled mode or strict mode: [COLOR=rgb(44, 130, 201)]Set-HVCIOptions[/COLOR] [COLOR=rgb(0, 168, 133)]-Enabled -FilePath[/COLOR] <Path to policy XML> [COLOR=rgb(41, 105, 176)]Set-HVCIOptions[/COLOR] [COLOR=rgb(0, 168, 133)]-Strict -FilePath[/COLOR] <Path to policy XML> [*]Convert policy into binary file: [COLOR=rgb(41, 105, 176)]ConvertFrom-CIPolicy[/COLOR] [COLOR=rgb(0, 168, 133)]-XmlFilePath[/COLOR] <Path to policy XML> [COLOR=rgb(0, 168, 133)]-BinaryFilePath[/COLOR] "<Policy name>.cip" Open .xml file and scroll to the end you'll see this line: <PolicyID>{A6D7FBBF-9F6B-4072-BF37-693741E1D745}</PolicyID> (the ID here is just an example, your will be different) Rename your .cip file to "{Insert your policy ID here}.cip" with {} bracket. [*]Finally, copy your .cip file to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" and reboot your computer. [/LIST] Note: There's a chance that after you did all of those things above, there're still some files get blocked by WDAC, here is the thing that could happen and solution: [LIST] [*]Some files has a digital signature but got revoked (rarely happened): copy all those files into one folder, use [COLOR=rgb(41, 105, 176)]New-CIPolicy[/COLOR] to scan that folder with [COLOR=rgb(0, 168, 133)]-Level[/COLOR] Hash, no need to [COLOR=rgb(0, 168, 133)]-Fallbac[/COLOR]k, after that open .xml with Notepad, use Ctrl + F to find those files and replace the path of the temp folder where you scan it with path of the orginal folder where the file located [*]Drivers get blocked because it's not WHQL signed: [COLOR=rgb(41, 105, 176)]Set-RuleOption[/COLOR] [COLOR=rgb(0, 168, 133)]-FilePath[/COLOR] <Path to policy XML> [COLOR=rgb(0, 168, 133)]-Option[/COLOR] 2 [COLOR=rgb(0, 168, 133)]-Delete[/COLOR] [*]Files get blocked because it's not in Program Files and Program Files (x86): this shouldn't happen (at least on my computer it's not), but if it's happen, copy those files to one folder and use [COLOR=rgb(41, 105, 176)]New-CIPolicy[/COLOR] to scan that folder with[COLOR=rgb(0, 0, 0)] [/COLOR][COLOR=rgb(0, 168, 133)]-Level[/COLOR][COLOR=rgb(0, 0, 0)] [/COLOR]Publisher[COLOR=rgb(0, 0, 0)] [/COLOR][COLOR=rgb(0, 168, 133)]-Fallback[/COLOR][COLOR=rgb(0, 0, 0)] Hash[/COLOR] [/LIST] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
