search

MicrosoftDocs / WDAC-Toolkit

Documentation and tools to access Windows Defender Application Control (WDAC) technology.
Creative Commons Attribution 4.0 International
201 stars 43 forks source link

Corruption in generated policy if it previously contained exceptions #384

Closed pasqualm closed 5 months ago

pasqualm commented 5 months ago

When updating an xml policy with wdac wizard, if some of its rules contained file path exceptions, it's fairly common that it becomes corrupt when adding new rules. The IDs of the exceptions are messed, so the file becomes corrupt, it can be checked with a command like this one:

PS C:\Users\xxx\source_code\WDAC\policies>  Merge-CIPolicy -OutputFilePath .\kkk.xml -PolicyPaths .\WDAC-BlackList-AllowAll_v1.0.3.36.xml
Merge-CIPolicy : "Documento con formato incorrecto: debe haber un nodo con el ID = ID_ALLOW_A_0015_2_1_1_0_0_0"
En línea: 1 Carácter: 2
+  Merge-CIPolicy -OutputFilePath .\kkk.xml -PolicyPaths .\WDAC-BlackLi ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Merge-CIPolicy], CIPolicyException
    + FullyQualifiedErrorId : Microsoft.SecureBoot.UserConfig.CIPolicyException,Microsoft.SecureBoot.UserConfig.MergeCIPolicy

PS C:\Users\xxx\source_code\WDAC\policies>

if I inspect the original policy the original rule was like this:

          <DeniedSigner SignerId="ID_SIGNER_S_0020_31_30_30_0_0">
            <ExceptAllowRule AllowRuleID="ID_ALLOW_A_0015_2_1_1_0_0" />
            <ExceptAllowRule AllowRuleID="ID_ALLOW_A_0014_3_2_2_0_0" />
          </DeniedSigner>
...
    <Allow ID="ID_ALLOW_A_0015_2_1_1_0_0" FriendlyName="" FilePath="%OSDRIVE%\Program Files\WinRAR\Uninstall.exe" />
    <Allow ID="ID_ALLOW_A_0014_3_2_2_0_0" FriendlyName="" FilePath="%OSDRIVE%\Program Files\WinRAR\RarExtInstaller.exe" />

in the corrupt policy it has become this:

          <DeniedSigner SignerId="ID_SIGNER_S_0020_31_30_30_30">
            <ExceptAllowRule AllowRuleID="ID_ALLOW_A_0015_2_1_1_0_0_0" />
            <ExceptAllowRule AllowRuleID="ID_ALLOW_A_0014_3_2_2_0_0_0" />
          </DeniedSigner>
...
    <Allow ID="ID_ALLOW_A_0015_2_1_1_0" FriendlyName="" FilePath="%OSDRIVE%\Program Files\WinRAR\Uninstall.exe" />
    <Allow ID="ID_ALLOW_A_0014_3_2_2_1" FriendlyName="" FilePath="%OSDRIVE%\Program Files\WinRAR\RarExtInstaller.exe" />

So the AllowRuleIDs don't match and generates the corruption

jgeurten commented 5 months ago

Good report and find, @pasqualm. I can repro this issue