search

MicrosoftDocs / WDAC-Toolkit

Documentation and tools to access Windows Defender Application Control (WDAC) technology.
Creative Commons Attribution 4.0 International
201 stars 43 forks source link

Fix recommended deny rule for BGInfo #423

Open realHorst opened 1 week ago

realHorst commented 1 week ago

The current recommended (template) rule for denying vulnerable versions of BGInfo.exe is incorrectly set to MinimumFileVersion="4.21.0.0" even though all versions up to and including 4.21 are the vulnerable ones.

This pull requests fixes these by replacing it with MaximumFileVersion="4.21.0.0", therefore no longer blocking the fixed versions of BGInfo.

Reference: "1 A vulnerability in bginfo.exe was fixed in version 4.22. If you use BGInfo, for security, make sure to download and run the latest version of BGInfo. BGInfo versions earlier than 4.22 are still vulnerable and should be blocked." https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol

Fixed in v4.22: "This release of Bginfo honors Device Guard policy for VB scripts specified as the source of field data." https://techcommunity.microsoft.com/blog/sysinternals-blog/sysinternals-update-procdump-v9-autoruns-v13-71-bginfo-v4-22-livekd-v5-62-proces/726072

realHorst commented 1 week ago

@microsoft-github-policy-service agree