{"id":24605,"date":"2022-05-23T03:40:04","date_gmt":"2022-05-23T01:40:04","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=24605"},"modified":"2022-05-23T03:40:04","modified_gmt":"2022-05-23T01:40:04","slug":"windows-defender-application-control-empfohlene-blockierungsregeln-mai-2022","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/05\/23\/windows-defender-application-control-empfohlene-blockierungsregeln-mai-2022\/","title":{"rendered":"Windows Defender Application Control: Recommended blocking rules (May 2022)"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Windows\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" width=\"200\" align=\"left\">[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/05\/22\/windows-defender-application-control-empfohlene-blockierungsregeln-mai-2022\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]In Windows 10 and Windows 11, Windows Defender Application Control (WDAC) and AppLocker are available as features in the enterprise variants (Windows 10\/11 Enterprise) as security features (see <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-application-control\/feature-availability\" target=\"_blank\" rel=\"noopener\">this post<\/a>). Now, Microsoft has published a list of recommended blocking rules in mid-May 2022 that I just came across. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/23635a7453e84e50a850a1f8886b6ff3\" width=\"1\" height=\"1\">I got the information in the following <a href=\"https:\/\/twitter.com\/CyberWarship\/status\/1527645327595028481\" target=\"_blank\" rel=\"noopener\">tweet<\/a> from Florian Hansemann. The post in question,<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-application-control\/microsoft-recommended-block-rules\" target=\"_blank\" rel=\"noopener\">Microsoft recommended block rules<\/a>, dated May 13, 2022, contains Microsoft's recommendations on which applications to block by default in WDAC on Windows 10, Windows 11, and Windows Server (2016 and later).&nbsp; <\/p>\n<p><a href=\"https:\/\/twitter.com\/CyberWarship\/status\/1527645327595028481\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Microsoft recommended block rules (Windows\" alt=\"Microsoft recommended block rules (Windows\" src=\"https:\/\/i.imgur.com\/6u7nM5O.png\"><\/a><\/p>\n<p>The list of the following applications was compiled in cooperation with members of the security community. Microsoft recommends blocking the applications from the following list (unless specifically required). This is because these applications or files can be used by an attacker to bypass application admission policies, including Windows Defender Application Control:<\/p>\n<ul>\n<li>addinprocess.exe\n<li>addinprocess32.exe\n<li>addinutil.exe\n<li>aspnet_compiler.exe\n<li>bash.exe\n<li>bginfo.exe\n<li>cdb.exe\n<li>cscript.exe\n<li>csi.exe\n<li>dbghost.exe\n<li>dbgsvc.exe\n<li>dnx.exe\n<li>dotnet.exe\n<li>fsi.exe\n<li>fsiAnyCpu.exe\n<li>infdefaultinstall.exe\n<li>kd.exe\n<li>kill.exe\n<li>lxssmanager.dll\n<li>lxrun.exe\n<li>Microsoft.Build.dll\n<li>Microsoft.Build.Framework.dll\n<li>Microsoft.Workflow.Compiler.exe\n<li>msbuild.exe<sup>2<\/sup>\n<li>msbuild.dll\n<li>mshta.exe\n<li>ntkd.exe\n<li>ntsd.exe\n<li>powershellcustomhost.exe\n<li>rcsi.exe\n<li>runscripthelper.exe\n<li>texttransform.exe\n<li>visualuiaverifynative.exe\n<li>system.management.automation.dll\n<li>wfc.exe\n<li>windbg.exe\n<li>wmic.exe\n<li>wscript.exe\n<li>wsl.exe\n<li>wslconfig.exe\n<li>wslhost.exe<\/li>\n<\/ul>\n<p>Regarding BGInfo it should be noted that a security vulnerability in bginfo.exe was fixed in version 4.22 (current is v4.28). Those who use BGInfo should download and run the <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/bginfo\" target=\"_blank\" rel=\"noopener\">latest version<\/a> to be on the safe side. BGInfo versions prior to 4.22 are still vulnerable and should be blocked.&nbsp; <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]In Windows 10 and Windows 11, Windows Defender Application Control (WDAC) and AppLocker are available as features in the enterprise variants (Windows 10\/11 Enterprise) as security features (see this post). Now, Microsoft has published a list of recommended blocking rules &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/05\/23\/windows-defender-application-control-empfohlene-blockierungsregeln-mai-2022\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547,2],"tags":[773,69,194],"class_list":["post-24605","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-windows","tag-defender","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24605","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=24605"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24605\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=24605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=24605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=24605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}