my personal blog about systemcenter

All posts in Defender

´Windows Defender APT , Blocking unwanted applications

Categories: Defender, Device Guard, WDAPT
Comments Off on ´Windows Defender APT , Blocking unwanted applications

One of the features of Windows Defender ATP is to block all non microsoft binaries from running , so if a machine is under attack or suspected compromised one of the steps is locking down the device so rouge applications will stop working and machine can be examined (other step is network isolation will test that in 2nd post)

First test is enable restrictions on a device without any prior policy then try on one with existing polisy signed and unsighed

Result of the post to avoid reading Smile device still works due to MS signed drivers on a Lenovo Laptop X1 Yofga

image

In the Windows Defender Security Center , there is a option to run restrict app execution , the concern before testing how would a non Microsoft hardware device do , so i took a Lenovo added Windows 10 and Lenovo System Update

image

Go Go

image

a few seconds later the device is restricted

image

and since i didnt have a evil exe i tested with Chrome and it was blocked as designed

image

and after a test reboot we can see that a bit more was blocked

C:\program files (x86)\google\chrome\application\chrome.exe
C:\program files (x86)\google\update\googleupdate.exe
C:\program files (x86)\lenovo\system update\tvsushim.exe
C:\program files\conexant\caudiofilteragent\sacpl.exe
C:\program files\dolby\dolby dax2\dax2_api\dolbydax2api.exe
C:\program files\dpr\dpr.exe
C:\users\fr-\appdata\local\openlivewriter\update.exe

but in reality nothing important , all drivers was MS signed so device still functioning Smile

image

and all blocked easily traced in the defender security center portl

image

and reverse is just as easy