WDAC implementation: fail to allow a specific program based on a FilePublisher policy
Dear community,
I'm trying to implement WDAC on a Windows 11 workstation.
I successfully deployed
- a base policy in enforced mode
- a supplemental policy in enforced mode based on Hash file level
What I'm trying now is to implement a supplemental policy based on the FilePublisher Level. Unfortunately it fails for no known reason.
What I did basically is the following to create the supplemental policy:
$files = Get-SystemDriver -ScanPath "C:\Users\tristan\AppData\Local\CommuSoft\client" -NoScript -UserPEs
$rules = New-CIPolicyRule -Level FilePublisher -SpecificFileNameLevel FilePath -DriverFiles $files
New-CIPolicy -MultiplePolicyFormat -FilePath CommuSoft.xml -Rules $rules
Then I applied this Supplemental policy as I did before.
But, when launching my CommuSoft program, it is blocked by WDAC with the folllowing event log:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\explorer.exe) attempted to load \Device\HarddiskVolume3\Users\user\AppData\Local\CommuSoft\client\CommuSoftClient.exe that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{6e3eb6b2-4061-4c75-bf30-4c20b17bea73}).
6e3eb6b2-4061-4c75-bf30-4c20b17bea73 is my base policy.
What's strange is that the executable is in my CommuSoft.xml file:
<FileRules>
<FileAttrib ID="ID_FILEATTRIB_F_122_0" FriendlyName="C:\Users\user\AppData\Local\CommuSoft\client\CommuSoftClient.exe FileAttribute" MinimumFileVersion="17.1.6.0" FilePath="C:\Users\user\AppData\Local\CommuSoft\client\CommuSoftClient.exe"/>
</FileRules>
<Signers>
<Signer ID="ID_SIGNER_F_147" Name="DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"> <CertRoot Type="TBS" Value="65B1D4076A89AE273F57E6EEEDECB3EAE129B4168F76FA7671914CDF461D542255C59D9B85B916AE0CA6FC0FCF7A8E64"/>
<CertPublisher Value="CommuSoft"/>
<FileAttribRef RuleID="ID_FILEATTRIB_F_122"/>
</Signers>
<SigningScenarios>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 06-19-2024">
<ProductSigners>
<AllowedSigners>
<AllowedSigner SignerId="ID_SIGNER_F_147"/>
</AllowedSigners>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
So, I have the impression some rules are not taken into account, but I do not know how to dig deeper with the only log file I have. Any clue? Thank you for your help :)