๐ Device Guard - The Beginning of the End for Malware?
๐ก Newskategorie: Video
๐ Quelle: malwaretech.com
Device Guard Code Integrity Policy
Scope
Executables violating the policy are simply blocked from running at all. |
Trying to hijack explorer.exe with an unsigned DLL results in STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION |
PowerShell is in constrained mode and blocks unsigned script.s |
Flexibility
- PCA Certificate - All files signed with a leaf certificate belong to the whitelisted PCA Certificate (Ex: Any file signed with a VeriSign Extended Validation certificate).
- Leaf Certificate - All files signed with a specific code signing certificate (the ones issued to vendors).
- Hash - Allow a single file by its SHA2 hash (Good for unsigned applications).
- FileName - Just...just don't.
- Publisher - Like PCA, but with the ability to only allow applications from certain publishers (the "common name" of the leaf certificate Ex: Only leaf certificates issued to Microsoft).
- WHQL - Allow kernel drivers which are signed & verified by WHQL.
- WHQL Publisher - Same as Publisher but only for signed & verified WHQL drivers.
Example of a CodeIntegrity event |
Virtualization Based Protection of Code Integrity
Conclusion
- UMCI prevents an adversary social engineering the victim into running malware (unless they can get hold of a whitelisted certificate).
- On Windows 10 Google Chrome & Internet Explorer run inside an isolated container known as AppContainer, so even if the browser was exploited, it'd be run in total isolation.
- If the code somehow escapes AppContainer, it'd need a method of persisting across reboot, bearing in mind the UMCI policy prevents unsigned code being added to start-up and it's kind of hard to exploit applications during boot.