 |
Post ArmveewW7m0jYlNTou by [email protected] |
 |
More posts by [email protected] |
|
Post #AriX1VANMeDEPdod6m by [email protected] |
|
0 likes, 1 repeats |
|
|
|
I recently deleted a thread here as my tests were not valid. What was wrong? Th… |
|
|
|
Post #ArkdDmdTEBXO6naG8W by [email protected] |
|
0 likes, 1 repeats |
|
|
|
If we test with our own custom WDAC rules, we can confirm that all of the allow… |
|
|
|
Post #Armay6BcxWIcWFsDrs by [email protected] |
|
0 likes, 1 repeats |
|
|
|
Further investigation of the endpoint's driver blocklist being out of sync … |
|
|
|
Post #Armay6LYMcEt12W9L6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
If we think that WDAC individual block list rules work OK, but the Microsoft re… |
|
|
|
Post #Armay6WtgRJTaDpD1M by [email protected] |
|
0 likes, 1 repeats |
|
|
|
So, based on our BSOD, we can conclude that non-HVCI WDAC driver blocking based… |
|
|
|
Post #ArmfasYlxLNVMpRlQW by [email protected] |
|
0 likes, 1 repeats |
|
|
|
But what about with HVCI on? Does turning HVCI on now make FileAttrib qualifier… |
|
|
|
Post #ArmkWmA4Iqsm8Rkq3s by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann mean while at Securing Windows 11 you can no longer test Beta or Cana… |
|
|
|
Post #ArmlbNgQq59LcVeUFs by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@RonnyTNL That's what you get for having a too-new processor?FWIW, 12th Gen… |
|
|
|
Post #Armqyq7tkpFWGXVLKy by [email protected] |
|
0 likes, 1 repeats |
|
|
|
Even recently, there are folks talking about how the Microsoft recommended driv… |
|
|
|
Post #ArmsfmbGqAUnjfHfNY by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann you got a minute ;)My Insider is a different build, this is my Canary… |
|
|
|
Post #ArmsuJFoENgf41AkW8 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann here is my Insider Beta which is broken since feb 8th. 22635.4945 end… |
|
|
|
Post #ArmveeoiallxAZjFfE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann and to top it off, stable 23H2 snapshot upgraded 50% of the ~20 machi… |
|
|
|
Post #ArmveewW7m0jYlNTou by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@RonnyTNL Yeah, I suspect that the 24H2 rollout is staged. I've seen no co… |
|
|
|
Post #Arn4Dj2JhChe1ZK28O by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@RonnyTNL Ah, it looks like I was on Insider "Dev" as opposed to Cana… |
|
|
|
Post #Arn4DjBt7cMKVFng3M by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@RonnyTNL Eh, 27802.1000 works for me. π€·ββοΈ |
|
|
|
Post #Arn4DjJKfwJWsLHcem by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann |
|
|
|
Post #ArxHFMSTuUdkT7RNFA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann Could you share your VM Hardware settings? |
|
|
|
Post #ArxHFMZvSoawqCvJqa by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@RonnyTNL https://pastebin.com/1fuQuWma |
|
|
|
Post #ArxHFMh12SGZCCEytk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann 4οΈβ£ 0οΈβ£ 4οΈβ£ |
|
|
|
Post #ArxHFMmghMnrTmtVjs by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@RonnyTNL LOL. It was there, but they deleted it. π |
|
|
|
Post #ArxIRKDIPOW0SrS5GS by [email protected] |
|
0 likes, 1 repeats |
|
|
|
LOL. Just got a response from MSRC, and they don't consider any of the 3 v… |
|
|
|
Post #AryABwQBtiQohgxlp2 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann this is a bit on you though. Youβve reported this near the end of t… |
|
|
|
Post #AryLLseLsGBjOjWpuK by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@jtig @wdormann, is_vulnerability = some_func(reporter, datetime.now(), report)? |
|
|
|
Post #ArymzXUie7ai8D9sAq by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@jtig I don't want a damn bounty.I want them to:1) Actually read my reports… |
|
|
|
Post #AseZqEvl9scrBYMI5o by [email protected] |
|
0 likes, 1 repeats |
|
|
|
One of the 3 vulnerabilities that I've outlined is that the on-endpoint dri… |
|
|
|
Post #Asea6cKfv0eQOkp1LU by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann In their "defense" you did make the video reaaaaaaaaaalllll… |
|
|
|
Post #AseasVmfZKAhzLkngG by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann Endless loop of "It's a feature, not a bug. Ticket closed. B… |
|
|
|
Post #Aseb5EdOdqZ2Z4U2Ge by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@cR0w I mean, when they refused to accept my video on YouTube, they did tell me… |
|
|
|
Post #Aseb5Ej4Il6Kqf8Z6m by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann Depending on your quota and the size of the video. |
|
|
|
Post #AsebLpIO6WAmttZHsm by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann Next time put EICAR in the EXIF when you load it on OneDrive. |
|
|
|
Post #AsebptEG2oQRmryJEW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann I know it shouldn't trigger any action that way, but I'd be c… |
|
|
|
Post #AsebptJvhixk4Scq4e by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@cR0w I did have an AV vendor recently request my EICAR-containing PoC in a pas… |
|
|
|
Post #AsebptPbMdV2M3HMum by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann What? Are they just running strings and checking the output before an… |
|
|
|
Post #AsebptVd0EJuek6BJA by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@cR0w I assume that they eat their own dogfood, and their AV product "prot… |
|
|
|
Post #AseeATJrlpADQ5XMUS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann @cR0w Reminds me of: https://project-zero.issues.chromium.org/issues/… |
|
|
|
Post #AseeATRJK97PnB1J5s by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@buherator @wdormann Didn't Microsoft stuff start doing that too? Guessing … |
|
|
|
Post #AseeATWyz3ei4lfpw0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@cR0w @wdormann Probably? Gmail definitely does that. Zero-click attack surface… |
|
|
|
Post #AseeATd0ceTaNSUeKO by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@buherator @cR0w Yeah, even with a number of different ZIP passwords, I found t… |
|
|
|
Post #AseepzLdas0ScyA7c0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann @buherator I guess that makes sense if it's password protected bu… |
|
|
|
Post #AseepzSNBpOUxrJV6u by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@cR0w @buherator I didn't investigate much further, but I suspect that Gmai… |
|
|
|
Post #AsejtyMngQt4VtQQca by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann Metrics go π |
|
|
|
Post #Asek2DLNsmNjHTh0rI by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@buherator @wdormann Maybe it was Google I was thinking but I thought I heard M… |
|
|
|
Post #Asek2H0cFw96eE0U2i by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@cR0w @wdormann I mean it's the logical next step if you want to pretend yo… |
|
|
|
Post #Asev7RDooLG3GZqbXU by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann @cR0w @buherator "Encrypted Zip files"?You over estimate th… |
|
|
|
Post #Asf4SOesR85Cz5ZYgq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
Did you verify that Gmail doesn't flag just all encrypted ZIP files of any … |
|
|
|
Post #Asf4SOlc25TFJyiwBk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@cy @cR0w @buherator Ah, good guess!Using standard zip encryption with an ungue… |
|
|
|
Post #Asf4SOrdfgI7cfXka8 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann @cy @buherator Sorry if this is a dumb question, but what do you mean… |
|
|
|
Post #Asf4SOxfJH6zvMMYyW by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@cR0w @cy @buherator Eh, whatever zip comes with macOS. Info-ZIP, it seems.I as… |
|
|
|
Post #Asf6ZAmgcNxftFaHXE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@[email protected] @[email protected] @[email protected] @buherator@i… |
|
|
|
Post #Asf6ZAt4Ef48D2ZNTs by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@pup @wdormann @buherator @cy Ah, that makes sense. I forgot all about that. Go… |
|
|
|
Post #Asf6b1jpDr0IPg87Xc by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@pup @cR0w @buherator @cy CRC32 isn't enough to uniquely identify files. T… |
|
|
|
Post #Asf6kpTXfZF3HFBhZY by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann @pup @buherator @cy There would be, but if you use the CRC32 combined… |
|
|
|
Post #Asf6zslthHIRqLx2DQ by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@cy @cR0w @buherator Actually, after some further tests:The Info-ZIP that comes… |
|
|
|
Post #AsfOzKILg88M5i0xhA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@[email protected] @[email protected] @[email protected] @cy@… |
|
|
|
Post #AsfOzKP5H5WOQbALC4 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@pup @cR0w @buherator @cy FWIW, I generated a file with the same size and CRC32… |
|
|
|
Post #AsfPQhGEOrlf8Z4jUu by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann @pup @buherator @cy Now I'm really interested. |
|
|
|
Post #AsgHzJOQWjSwlxraz2 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@cR0w @pup @buherator @cy FWIW, I did some testing with the eicar string in an … |
|
|
|
Post #AsgIGD1HTZedvf5uPA by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann @pup @buherator @cy Interesting. Is your gmail account a business acc… |
|
|
|
Post #AsgM2ZzbfLNgwP4Fhg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann @cR0w @pup @cy Could you do a run with `7z -mhe=on`? |
|
|
|
Post #AsgM2a6LGIljHIDdCa by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@buherator @cy @cR0w @pup An encrypted .7z file that uses -mhe=on is blocked, r… |
|
|
|
Post #AsgM2aDmociveNhZo0 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@wdormann @buherator @cy @pup I wonder if they also consider it malicious in Dr… |
|
|
|
Post #AsgMBDNX77PLPXNPm4 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@cR0w @buherator @cy @pup No, that's allowed. |
|
|
|
Post #AsgMKmdfO1fBNIUAka by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann @buherator @cy @pup I'm not following the logic then. That seems … |
|
|
|
Post #AsgMKmk30Ildh5TGhE by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@cR0w @buherator @cy @pup Nor I. π |
|
|
|
Post #AsgNcHIqjMjlM5ee7U by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann @cR0w @pup @buherator @cy I've been quietly watching all these te… |
|
|
|
Post #AsgNcHPELdqDfsdk48 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@reverseics @wdormann @pup @buherator @cy I hate computers so much. They used t… |
|
|
|
Post #AuQMGCGXf7jsTn9d0y by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann First of thanks a lot for posting all those insights! I'm trying … |
|
|
|
Post #AuQMGCQp2txizfxq2S by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann Also I'm not sure if the FilePath attrib can be used to explicitl… |
|
|
|
Post #AuQMGCZgVx3FRA6uqu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann Maybe the drivers were blocked by HVCI and not by the block list. Thi… |
|
|
|
Post #AuQMGCiXz08lseFzfM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wdormann If the driver was blocked by the hvci feature and not the block list … |
|
|
|
Post #AuQMGCovbHFECRF5c0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@qdkp Oh, somehow I failed to reply to this...With HVCI off, the driver in the … |
