Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Operating Systems
Windows 11
Windows 11 22H2 no longer supports Software Restriction Policies (SRP)
Message
<blockquote data-quote="ForgottenSeer 98186" data-source="post: 1026452"><p>Where do you come up with this? A block is a block; the method is irrelevant. All block methods "cripple" the process insofar as the blocked process does not execute. Using Exploit Guard to block processes does not create system instabilities.</p><p></p><p>Unlike AppLocker, SRP and WDAC, there are no known bypasses of Exploit Guard (if interpreters and other utilities that can modify Exploit Guard policies or tamper with the service are blocked). Microsoft is worried about allow policies (AppLocker) and WDAC bypasses to the extent that it explicitly puts a warning on the official WDAC learn documents page - and provides a laundry list of .exe and DLLs that should be blocked to provide full security:</p><p></p><p>[ATTACH]273174[/ATTACH]</p><p></p><p>[URL unfurl="true"]https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[/URL]</p><p></p><p></p><p>Exactly. A user can go into Security Center and temporarily turn off the block policy if they need to use one of the blocked processes, and then turn it back on when finished to restore security to a locked down state. The "On-Off" of Exploit Guard policies is immediate without a need to log-out\log-in or reboot the system. To some people this is decent "usability."</p><p></p><p></p><p>What [USER=32260]@Andy Ful[/USER] means here is that AppLocker is "block by default, allow by exception" and can include DLLs and other file types which cannot be added to Exploit Guard.</p></blockquote><p></p>
[QUOTE="ForgottenSeer 98186, post: 1026452"] Where do you come up with this? A block is a block; the method is irrelevant. All block methods "cripple" the process insofar as the blocked process does not execute. Using Exploit Guard to block processes does not create system instabilities. Unlike AppLocker, SRP and WDAC, there are no known bypasses of Exploit Guard (if interpreters and other utilities that can modify Exploit Guard policies or tamper with the service are blocked). Microsoft is worried about allow policies (AppLocker) and WDAC bypasses to the extent that it explicitly puts a warning on the official WDAC learn documents page - and provides a laundry list of .exe and DLLs that should be blocked to provide full security: [ATTACH alt="2023-02-26 11_58_25-Flashback Express.png"]273174[/ATTACH] [URL unfurl="true"]https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[/URL] Exactly. A user can go into Security Center and temporarily turn off the block policy if they need to use one of the blocked processes, and then turn it back on when finished to restore security to a locked down state. The "On-Off" of Exploit Guard policies is immediate without a need to log-out\log-in or reboot the system. To some people this is decent "usability." What [USER=32260]@Andy Ful[/USER] means here is that AppLocker is "block by default, allow by exception" and can include DLLs and other file types which cannot be added to Exploit Guard. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
