[German]In Windows 10 and Windows 11, Windows Defender Application Control (WDAC) and AppLocker are available as features in the enterprise variants (Windows 10/11 Enterprise) as security features (see this post). Now, Microsoft has published a list of recommended blocking rules in mid-May 2022 that I just came across.
Advertising
I got the information in the following tweet from Florian Hansemann. The post in question,Microsoft recommended block rules, dated May 13, 2022, contains Microsoft's recommendations on which applications to block by default in WDAC on Windows 10, Windows 11, and Windows Server (2016 and later).
The list of the following applications was compiled in cooperation with members of the security community. Microsoft recommends blocking the applications from the following list (unless specifically required). This is because these applications or files can be used by an attacker to bypass application admission policies, including Windows Defender Application Control:
- addinprocess.exe
- addinprocess32.exe
- addinutil.exe
- aspnet_compiler.exe
- bash.exe
- bginfo.exe
- cdb.exe
- cscript.exe
- csi.exe
- dbghost.exe
- dbgsvc.exe
- dnx.exe
- dotnet.exe
- fsi.exe
- fsiAnyCpu.exe
- infdefaultinstall.exe
- kd.exe
- kill.exe
- lxssmanager.dll
- lxrun.exe
- Microsoft.Build.dll
- Microsoft.Build.Framework.dll
- Microsoft.Workflow.Compiler.exe
- msbuild.exe2
- msbuild.dll
- mshta.exe
- ntkd.exe
- ntsd.exe
- powershellcustomhost.exe
- rcsi.exe
- runscripthelper.exe
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
- wfc.exe
- windbg.exe
- wmic.exe
- wscript.exe
- wsl.exe
- wslconfig.exe
- wslhost.exe
Regarding BGInfo it should be noted that a security vulnerability in bginfo.exe was fixed in version 4.22 (current is v4.28). Those who use BGInfo should download and run the latest version to be on the safe side. BGInfo versions prior to 4.22 are still vulnerable and should be blocked.
