WDAC File Exclusions Not Working

DukeOfAwesome 20 Reputation points
2023-07-04T04:43:24.87+00:00

Hi Everyone,

I've been playing with this for the past two weeks and have a good grip on the way it differs from AppLocker. I have come across an issue during testing with Connectwise Control when an on-demand support session is created and a PC with WDAC implemented, the support exe file is allowed to run because of the exceptions I've implemented and the file is officially signed by Connectwise, but half way through the execution process it fails.

Looking through the event logs I see:

Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe) attempted to load \Device\HarddiskVolume3\Users<user>\AppData\Local\Temp\Deployment\72TG2L8V.2QY\JRAY8RDK.535\ScreenConnect.Client.dll that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{23251f30-d915-4ec2-b436-9c5aefa1e1ea}).

This happens for 2 DLLs and no matter what I do to exclude the following files:

screenconnect.client.dll

screenconnect.windows.dll

They are never allowed to run because none of these DLL files are signed. I've tried file hash and path exceptions, and still the problem persists. How can I work around this? How can you get these files that are unsigned to run given the exceptions?

These are the file path rules I have applied that don't work.

Filepath: *\screenconnect.client.dll

Filepath: *\screenconnect.windows.dll

I am using WDAC Polcicy Wizard to create my policies which works brilliantly and have tried the more restrictive "Allow Microsoft Mode", than the less restrictive "Signed and Reputable Mode" and in both instances the results are the same.

The hash file is empty because there is no file signature, or at least that's my understanding. I've even tried a File Attributes exclusion but that delivered the sames results.

Thanks in advance

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,575 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,604 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
417 questions
0 comments
Accepted answer
  1. Nick Eckermann 591 Reputation points
    2023-07-10T15:20:35.76+00:00

    You could run something like this. You can either scan the whole location or you can copy the 2 files in question out and just scan them. 

    New-CIPolicy -FilePath "C:\PathToOutputXML\Complete.xml" -Level Publisher -ScanPath "c:\PathToWhereDLLsAreFound\" -UserPEs -Fallback Hash

    Take a look and find the details of the files you are having problems with in the filepath output xml.

    You can manually copy the details into your xml built with the policy wizard or merge them. 

    Merge-CIPolicy -PolicyPaths "C:\PathToOutputXML\Complete.xml", "C:\PathToExistingXML\File.xml" -OutputFilePath "C:\PathToOutputMergedXML\Merged.xml"
    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nick Eckermann 591 Reputation points
    2023-07-21T14:31:23.41+00:00

    Learning this portal for the first time. ;)

    1 person found this answer helpful.
    0 comments
  2. DukeOfAwesome 20 Reputation points
    2023-07-11T06:06:49.4866667+00:00

    Hi Nick,

    Thanks for the suggestion, but it didn't work. I put all the DLLs in a folder and ran:

    New-CIPolicy -FilePath "C:\Users\<user>\Downloads\test\Complete.xml" -Level Publisher -ScanPath "C:\Users\<user>\Downloads\test\" -UserPEs -Fallback Hash

    Then I merged the complete.xml to the existing "Signed and Reputable Mode" xml I had SignedAndReputableBase-20230704_v10.0.1.5.xml using the WDAC Policy Wizard's merge function. Re-uploaded the bin file and ensured it was applied to the test PC.

    This is driving me insane, there must be a way to do this surely. Do you have any other suggestions?

    Thanks

  3. 71644982 0 Reputation points
    2023-08-03T12:08:24.07+00:00

    If the file path is user writable WDAC will ignore the file path rule as if it didn't it would mean any none admin user could copy and execute files in the location. To disable this behaviour you can:

    Disabled:Runtime FilePath Rule Protection

    https://video2.skills-academy.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create#user-writable-filepaths

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.