Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
Windows Home/Pro owner? Use Software Restriction Policies!
Message
<blockquote data-quote="Andy Ful" data-source="post: 1006845" data-attributes="member: 32260"><p>Finally, I found out the source of the different results. In my tests (a few months ago) I used the SmartAppControl template included in Windows\Schemas... This template looked like a full base policy, but in fact, it is not. Recently I closely analyzed the Microsoft documentation and found out that this template should be merged with another policy file included in:</p><p>$env:windir+"\CCM\DeviceGuard\MergedPolicy_ISG.xml"</p><p>The above policy file comes from paid software, so I used one of the default templates included in WDAC Wizard.</p><p>The SmartAppControl template must be edited - the option "Enabled:Conditional Windows Lockdown Policy" should be removed as Microsoft suggests.</p><p>After making the binary .cip file I deployed it in the \Active directory. But, the system did not start properly due to blocking some drivers. For testing, I whitelisted all drivers and finally, this WDAC policy worked well.</p><p>Anyway, this policy alone does not work like SAC - it works as any WDAC policy on Windows 10. When SAC policies are renamed (inactive, but SAC is ON), some executables are blocked by ISG, but are not blocked by SAC (tested on another snapshot). When SAC policies are active then the SAC allowlist overrides the WDAC ISG (that is good). Also, I did not manage to deploy working supplemental policies for SAC.</p><p></p><p>Conclusion.</p><p>For now, I cannot see the possibility to make SAC more usable. It is possible to use custom WDAC policies alongside SAC, but this cannot be used to whitelist something. The custom policies can only add more restrictions.</p><p></p><p>Post edited.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1006845, member: 32260"] Finally, I found out the source of the different results. In my tests (a few months ago) I used the SmartAppControl template included in Windows\Schemas... This template looked like a full base policy, but in fact, it is not. Recently I closely analyzed the Microsoft documentation and found out that this template should be merged with another policy file included in: $env:windir+"\CCM\DeviceGuard\MergedPolicy_ISG.xml" The above policy file comes from paid software, so I used one of the default templates included in WDAC Wizard. The SmartAppControl template must be edited - the option "Enabled:Conditional Windows Lockdown Policy" should be removed as Microsoft suggests. After making the binary .cip file I deployed it in the \Active directory. But, the system did not start properly due to blocking some drivers. For testing, I whitelisted all drivers and finally, this WDAC policy worked well. Anyway, this policy alone does not work like SAC - it works as any WDAC policy on Windows 10. When SAC policies are renamed (inactive, but SAC is ON), some executables are blocked by ISG, but are not blocked by SAC (tested on another snapshot). When SAC policies are active then the SAC allowlist overrides the WDAC ISG (that is good). Also, I did not manage to deploy working supplemental policies for SAC. Conclusion. For now, I cannot see the possibility to make SAC more usable. It is possible to use custom WDAC policies alongside SAC, but this cannot be used to whitelist something. The custom policies can only add more restrictions. Post edited. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
