Unexpected Allow in WDAC Deny Rules from createpolicy

microsoft / AaronLocker

Robust and practical application control for Windows

MIT License

595 stars 72 forks source link

Unexpected Allow in WDAC Deny Rules from createpolicy #28

Closed bryan-osisoft closed 3 years ago

bryan-osisoft commented 3 years ago

Wh00T commented 3 years ago

Some additional information: Two Allow rules are part of both Deny policy files: WDACRules-20210122-0524-Deny-Audit.xml WDACRules-20210122-0524-Deny-Enforce.xml

<Allow ID="ID_ALLOW_A_1_0" FriendlyName="" FileName="*" />
<Allow ID="ID_ALLOW_A_2_0" FriendlyName="" FileName="*" />

But I dont think its a bug as both rules are referenced further down below to block two signing scenarios:

jsuther1974 commented 3 years ago

This is by design. The policy is "Allow everything except these specific things". Without the Allow rules, then the policy would implicitly block everything and explicitly* block a few things, but allow nothing.