Will Dormann (@[email protected])

Attached: 2 images I recently deleted a thread here as my tests were not valid. What was wrong? The driver I was using as an example of "blocked via signer" was indeed in the [Microsoft recommended driver block rules](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules) list for **TWO YEARS** (It's present in a March 2023 version of the list). Given that the blocklist is updated on Windows endpoints "1-2 times per year", this should be present in the blocklist on a Win11 machine in 2025, right? Get real. It's bugs all the way down. No, I haven't (yet?) investigated which drivers are in the official list online, but are missing on Windows endpoints. But the fact that the first viable-for-testing driver that I chose was **NOT** in the list on endpoints... let's just say that this isn't a good sniff test. Anyway, the problem that came to my attention on the Bad Place was that a user complained that that a driver that was expected to be blocked was being allowed to run if HVCI ("Memory integrity") wasn't enabled. This can't be right, can it? Yes, it's true. The drivers listed in the Microsoft recommended driver block rules list by way of their signing certificate do **NOT** result in the driver being blocked (via WDAC). So just as a test, I created my own WDAC block list (with [App Control Wizard]( https://webapp-wdac-wizard.azurewebsites.net/) and applying it with [ApplyWDAC](https://github.com/vu-ls/applywdac)) for an arbitrary driver. Let's compare 3 drivers that should be blocked, on a system with HVCI off, and on a system with HVCI on. - Blocked via Authentihash in the MS vulnerable driver blocklist - Blocked via Signer Cert in the MS vulnerable driver blocklist - Blocked via Signer Cert via WDAC manually If you do not have HVCI enabled, you are likely missing driver blocks that you are supposed to be getting.