WDAC Policy

Peter Scott 0 Reputation points
2023-05-30T23:33:41.9533333+00:00

Hello,

I have been using WDAC policies in various scenarios but ran across an interesting problem.

If I create an "Allow" driver policy that only allows Windows signed drivers, in audit mode, when I attempt to manually start my test driver, or if I set it to a BOOT start driver, I see the event surfacing the attempt to load the driver. This is as expected.

Now if I create a "Deny" policy based on the "RecommendedDriverBlock_Enforce.xml. example policy and trim it down to only have the allow * rule and a specific rule to deny my test driver by name, I see something odd. It is also changed to audit. If the driver is set to BOOT start, then I see the event which indicates the attempt to load the driver and it would have been blocked.

But if I set the driver to manual start, and then start the driver after a reboot using sc.exe, it starts, as expected, but there is no event indicating that there was an attempt to load the driver.

I would first think it is my policy but it works for boot, just not manual start.

Can anyone shed light on what could be happening?

Thanks,

Pete

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,829 questions
0 comments No comments
{count} votes