Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Setup
PC Setup Configuration Help & Showcase
WhiteMouse's Security Config 2023
Message
<blockquote data-quote="WhiteMouse" data-source="post: 1014693" data-attributes="member: 61163"><p>Update:</p><ol> <li data-xf-list-type="ol">First, go to "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\", copy "DefaultWindows_Enforced.xml" to Downloads folder.<br /> <br /> </li> <li data-xf-list-type="ol">Go to "<a href="https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules" target="_blank">Microsoft recommended block rules - Windows security</a>", scroll down until you see purple note, click "Expand this section to see the WDAC policy XML" and then click on the Copy button at the top right.<br /> <img src="https://malwaretips.com/attachments/5493574395-png.269472/" alt="5493574395.png" class="fr-fic fr-dii fr-draggable " style="" /><br /> <br /> Create a new text file and paste to it, save the file as "MicrosoftRecommendedBlockRules.xml"<br /> <br /> </li> <li data-xf-list-type="ol">Open Terminal (Administrator), change directory to Downloads using "cd .\Downloads\" and create a new policy for each software you INSTALLED in Program Files and Program Files (x86) using New-CIPolicy:<br /> <span style="color: rgb(41, 105, 176)">New-CIPolicy</span> <span style="color: rgb(0, 168, 133)">-ScanPath</span> 'C:\Program Files\(name of software)' <span style="color: rgb(0, 168, 133)">-UserPEs -FilePath</span> ".\(name of software).xml" <span style="color: rgb(0, 168, 133)">-Level</span> FilePublisher <span style="color: rgb(0, 168, 133)">-Fallback</span> Hash<br /> <span style="color: rgb(41, 105, 176)">New-CIPolicy</span> <span style="color: rgb(0, 168, 133)">-ScanPath</span> 'C:\Program Files (x86)\(name of software)' <span style="color: rgb(0, 168, 133)">-UserPEs -FilePath</span> ".\(name of software).xml" <span style="color: rgb(0, 168, 133)">-Level</span> FilePublisher <span style="color: rgb(0, 168, 133)">-Fallback</span> Hash<br /> <br /> </li> <li data-xf-list-type="ol">Go to "<a href="https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create" target="_blank">Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows) - Windows security</a>", there's a list of policy rules (from 0 to 20) that you can add to your DefaultWindows_Enforced.xml file, use these command to add or remove policy rule:<br /> <span style="color: rgb(41, 105, 176)">Set-RuleOption</span> <span style="color: rgb(0, 168, 133)">-FilePath</span> ".\DefaultWindows_Enforced.xml" <span style="color: rgb(0, 168, 133)">-Option</span> <number><br /> <span style="color: rgb(41, 105, 176)">Set-RuleOption</span> <span style="color: rgb(0, 168, 133)">-FilePath</span> ".\DefaultWindows_Enforced.xml" <span style="color: rgb(0, 168, 133)">-Option</span> <number> <span style="color: rgb(0, 168, 133)">-Delete</span><br /> <br /> I use number 0, 2, 4, 6, 12, 19, 20 and remove everything else. You can use Notepad to open .xml file to see what policy rule is already there and what is missing.<br /> For "MicrosoftRecommendedBlockRules.xml" and each "(name of software).xml", run this command:<br /> <span style="color: rgb(41, 105, 176)">Set-RuleOption</span> <span style="color: rgb(0, 168, 133)">-FilePath</span> <Path to policy XML> <span style="color: rgb(0, 168, 133)">-Option</span> 3 <span style="color: rgb(0, 168, 133)">-Delete</span><br /> <br /> </li> <li data-xf-list-type="ol">Set HVCI to either enabled mode or strict mode (Optional):<br /> <span style="color: rgb(41, 105, 176)">Set-HVCIOptions</span> <span style="color: rgb(0, 168, 133)">-Enabled -FilePath</span> ".\DefaultWindows_Enforced.xml"<br /> <span style="color: rgb(41, 105, 176)">Set-HVCIOptions</span> <span style="color: rgb(0, 168, 133)">-Strict -FilePath</span> ".\DefaultWindows_Enforced.xml"<br /> <br /> </li> <li data-xf-list-type="ol">Open "DefaultWindows_Enforced.xml" with Notepad and scroll down to the end, you'll see something like this <span style="color: rgb(0, 168, 133)"><PolicyID></span><span style="color: rgb(124, 112, 107)">{A6D7FBBF-9F6B-4072-BF37-693741E1D745}</span><span style="color: rgb(0, 168, 133)"></PolicyID></span>, copy what is inside the bracket to the end of this command, do it for each policy file except "DefaultWindows_Enforced.xml"<br /> <span style="color: rgb(41, 105, 176)">Set-CIPolicyIdInfo</span> <span style="color: rgb(0, 168, 133)">-FilePath</span> <Path to policy XML> <span style="color: rgb(0, 168, 133)">-SupplementsBasePolicyID</span> (policy ID)<br /> without () bracket.<br /> <br /> </li> <li data-xf-list-type="ol">Convert every policy into binary file:<br /> <span style="color: rgb(41, 105, 176)">ConvertFrom-CIPolicy</span> <span style="color: rgb(0, 168, 133)">-XmlFilePath</span> <Path to policy XML> <span style="color: rgb(0, 168, 133)">-BinaryFilePath</span> "(Policy ID).cip"<br /> <br /> Use the guide in 6 to find Policy ID but this time copy it with {} bracket.<br /> <br /> </li> <li data-xf-list-type="ol">Finally, copy your all of your .cip files to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" and reboot your computer or you can use this tool to refresh policy <a href="https://www.microsoft.com/en-us/download/details.aspx?id=102925" target="_blank">Download Refresh CI Policy from Official Microsoft Download Center</a> , download the amd64 version.</li> </ol><p>Q/A:</p><ul> <li data-xf-list-type="ul">What is the difference between this guide the the above one?<br /> This is much more secure, since you only whitelist specific software from a company. For example, Iobit has many softwares (Driver Booster, Smart Defrag, Advanced SystemCare) and you only want to use Advanced SystemCare, this guide only allows Advanced SystemCare to run and blocks the others while the guide above allows everything to run since they are all signed by Iobit.<br /> <br /> </li> <li data-xf-list-type="ul">How do I update the policy when there's a new software update?<br /> This config is very strict, so you won't be able to update software while the policies are active (except for Windows Update, Microsoft Store and Office). First, you need to temparory turn off the protection, copy the "DefaultWindows_Enforced.xml" to Downloads ot any folder you like, add audit mode to that file "Set-RuleOption -FilePath ".\DefaultWindows_Enforced.xml" -Option 3", convert it to binary and move it to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active", then run RefreshCIPolicy(AMD64).exe. After that you can freely update softwares without issues (but be-careful, this is the only way you can get infected using this config), use 3, 4, 6, 7, 8 from the guide above to update your policy file.</li> </ul><p><strong><span style="color: rgb(0, 168, 133)">Done, this is too long. I should give myself a cookie for this.</span></strong></p></blockquote><p></p>
[QUOTE="WhiteMouse, post: 1014693, member: 61163"] Update: [LIST=1] [*]First, go to "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\", copy "DefaultWindows_Enforced.xml" to Downloads folder. [*]Go to "[URL='https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules']Microsoft recommended block rules - Windows security[/URL]", scroll down until you see purple note, click "Expand this section to see the WDAC policy XML" and then click on the Copy button at the top right. [IMG alt="5493574395.png"]https://malwaretips.com/attachments/5493574395-png.269472/[/IMG] Create a new text file and paste to it, save the file as "MicrosoftRecommendedBlockRules.xml" [*]Open Terminal (Administrator), change directory to Downloads using "cd .\Downloads\" and create a new policy for each software you INSTALLED in Program Files and Program Files (x86) using New-CIPolicy: [COLOR=rgb(41, 105, 176)]New-CIPolicy[/COLOR] [COLOR=rgb(0, 168, 133)]-ScanPath[/COLOR] 'C:\Program Files\(name of software)' [COLOR=rgb(0, 168, 133)]-UserPEs -FilePath[/COLOR] ".\(name of software).xml" [COLOR=rgb(0, 168, 133)]-Level[/COLOR] FilePublisher [COLOR=rgb(0, 168, 133)]-Fallback[/COLOR] Hash [COLOR=rgb(41, 105, 176)]New-CIPolicy[/COLOR] [COLOR=rgb(0, 168, 133)]-ScanPath[/COLOR] 'C:\Program Files (x86)\(name of software)' [COLOR=rgb(0, 168, 133)]-UserPEs -FilePath[/COLOR] ".\(name of software).xml" [COLOR=rgb(0, 168, 133)]-Level[/COLOR] FilePublisher [COLOR=rgb(0, 168, 133)]-Fallback[/COLOR] Hash [*]Go to "[URL='https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create']Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows) - Windows security[/URL]", there's a list of policy rules (from 0 to 20) that you can add to your DefaultWindows_Enforced.xml file, use these command to add or remove policy rule: [COLOR=rgb(41, 105, 176)]Set-RuleOption[/COLOR] [COLOR=rgb(0, 168, 133)]-FilePath[/COLOR] ".\DefaultWindows_Enforced.xml" [COLOR=rgb(0, 168, 133)]-Option[/COLOR] <number> [COLOR=rgb(41, 105, 176)]Set-RuleOption[/COLOR] [COLOR=rgb(0, 168, 133)]-FilePath[/COLOR] ".\DefaultWindows_Enforced.xml" [COLOR=rgb(0, 168, 133)]-Option[/COLOR] <number> [COLOR=rgb(0, 168, 133)]-Delete[/COLOR] I use number 0, 2, 4, 6, 12, 19, 20 and remove everything else. You can use Notepad to open .xml file to see what policy rule is already there and what is missing. For "MicrosoftRecommendedBlockRules.xml" and each "(name of software).xml", run this command: [COLOR=rgb(41, 105, 176)]Set-RuleOption[/COLOR] [COLOR=rgb(0, 168, 133)]-FilePath[/COLOR] <Path to policy XML> [COLOR=rgb(0, 168, 133)]-Option[/COLOR] 3 [COLOR=rgb(0, 168, 133)]-Delete[/COLOR] [*]Set HVCI to either enabled mode or strict mode (Optional): [COLOR=rgb(41, 105, 176)]Set-HVCIOptions[/COLOR] [COLOR=rgb(0, 168, 133)]-Enabled -FilePath[/COLOR] ".\DefaultWindows_Enforced.xml" [COLOR=rgb(41, 105, 176)]Set-HVCIOptions[/COLOR] [COLOR=rgb(0, 168, 133)]-Strict -FilePath[/COLOR] ".\DefaultWindows_Enforced.xml" [*]Open "DefaultWindows_Enforced.xml" with Notepad and scroll down to the end, you'll see something like this [COLOR=rgb(0, 168, 133)]<PolicyID>[/COLOR][COLOR=rgb(124, 112, 107)]{A6D7FBBF-9F6B-4072-BF37-693741E1D745}[/COLOR][COLOR=rgb(0, 168, 133)]</PolicyID>[/COLOR], copy what is inside the bracket to the end of this command, do it for each policy file except "DefaultWindows_Enforced.xml" [COLOR=rgb(41, 105, 176)]Set-CIPolicyIdInfo[/COLOR] [COLOR=rgb(0, 168, 133)]-FilePath[/COLOR] <Path to policy XML> [COLOR=rgb(0, 168, 133)]-SupplementsBasePolicyID[/COLOR] (policy ID) without () bracket. [*]Convert every policy into binary file: [COLOR=rgb(41, 105, 176)]ConvertFrom-CIPolicy[/COLOR] [COLOR=rgb(0, 168, 133)]-XmlFilePath[/COLOR] <Path to policy XML> [COLOR=rgb(0, 168, 133)]-BinaryFilePath[/COLOR] "(Policy ID).cip" Use the guide in 6 to find Policy ID but this time copy it with {} bracket. [*]Finally, copy your all of your .cip files to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" and reboot your computer or you can use this tool to refresh policy [URL='https://www.microsoft.com/en-us/download/details.aspx?id=102925']Download Refresh CI Policy from Official Microsoft Download Center[/URL] , download the amd64 version. [/LIST] Q/A: [LIST] [*]What is the difference between this guide the the above one? This is much more secure, since you only whitelist specific software from a company. For example, Iobit has many softwares (Driver Booster, Smart Defrag, Advanced SystemCare) and you only want to use Advanced SystemCare, this guide only allows Advanced SystemCare to run and blocks the others while the guide above allows everything to run since they are all signed by Iobit. [*]How do I update the policy when there's a new software update? This config is very strict, so you won't be able to update software while the policies are active (except for Windows Update, Microsoft Store and Office). First, you need to temparory turn off the protection, copy the "DefaultWindows_Enforced.xml" to Downloads ot any folder you like, add audit mode to that file "Set-RuleOption -FilePath ".\DefaultWindows_Enforced.xml" -Option 3", convert it to binary and move it to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active", then run RefreshCIPolicy(AMD64).exe. After that you can freely update softwares without issues (but be-careful, this is the only way you can get infected using this config), use 3, 4, 6, 7, 8 from the guide above to update your policy file. [/LIST] [B][COLOR=rgb(0, 168, 133)]Done, this is too long. I should give myself a cookie for this.[/COLOR][/B] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
