none
Windows Defender Exploit Guard - creating rule for particular process does not work. RRS feed

  • Question

  • Hello,

         I am testing the implementation of Windows Defender Exploit Guard for a client.  I have a test device that creates the following event with event id of 12 in Microsoft-Windows-Security-Mitigations/KernelMode

    "
    Process '\Device\HarddiskVolume4\Windows\System32\svchost.exe' (PID 4740) was blocked from loading the non-Microsoft-signed binary '\Program Files\Bonjour\mdnsNSP.dll'."

    mdnsNSP.dll is a file for use with the discovery service Bonjour with Itunes and is signed by Apple, Inc.  I understand why it is firing.  However it is a legit file to load.

    I read on how configure it for specific processes here:
    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection

    I attempted to set the Code Integrity Guard for that 'program' to off/disabled as well as setting it to Audit.  Both Via the GUI and Powershell.

    However the test machine continues to produce these messages.

    This feature is rather new, and svchost is not a typical program.  So I thought perhaps it is special.  Or that maybe while the wording matches, the event was being generated by another feature.

    However I am out of ideas.  Any help?


    Wednesday, July 18, 2018 3:53 PM

Answers

  • The table I used to determine what mitigation produced what event ID is not well labeled. (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard)

    In the Windows Defender Security Center settings, when you look at the individual 'Program Settings" you might expect Event ID of 12 (12 - Code integrity guard block) to be generated by the mitigation named "Code integrity guard"  This is not the case necessarily.  It is generated by 'Control flow guard' events.

    So you cannot take for granted until they correct it that events generated by migrations cause the event id on that table.

    Just FYI.
    • Marked as answer by David.S.B Friday, July 20, 2018 7:35 PM
    Friday, July 20, 2018 7:24 PM

All replies

  • The table I used to determine what mitigation produced what event ID is not well labeled. (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard)

    In the Windows Defender Security Center settings, when you look at the individual 'Program Settings" you might expect Event ID of 12 (12 - Code integrity guard block) to be generated by the mitigation named "Code integrity guard"  This is not the case necessarily.  It is generated by 'Control flow guard' events.

    So you cannot take for granted until they correct it that events generated by migrations cause the event id on that table.

    Just FYI.
    • Marked as answer by David.S.B Friday, July 20, 2018 7:35 PM
    Friday, July 20, 2018 7:24 PM
  • We have the same issue. We're using the exploit protection default configuration. When checking the app mitigations for svchost with powershell I get the following output:

    Get-ProcessMitigation -Name svchost.exe

    ProcessName                      : svchost.exe
    Source                           : Registry
    Id                               : 0
    DEP:
        Enable                             : NOTSET
        EmulateAtlThunks                   : NOTSET
        Override DEP                       : False
    ASLR:
        BottomUp                           : NOTSET
        Override BottomUp                  : False
        ForceRelocateImages                : NOTSET
        RequireInfo                        : NOTSET
        Override ForceRelocate             : False
        HighEntropy                        : NOTSET
        Override High Entropy              : False
    StrictHandle:
        Enable                             : NOTSET
        Override StrictHandle              : False
    System Call:
        DisableWin32kSystemCalls           : NOTSET
        Audit                              : NOTSET
        Override SystemCall                : False
    ExtensionPoint:
        DisableExtensionPoints             : NOTSET
        Override ExtensionPoint            : False
    DynamicCode:
        BlockDynamicCode                   : NOTSET
        AllowThreadsToOptOut               : NOTSET
        Audit                              : ON
        Override DynamicCode               : False
    CFG:
        Enable                             : NOTSET
        SuppressExports                    : NOTSET
        Override CFG                       : False
        StrictControlFlowGuard             : NOTSET
        Override StrictCFG                 : False
    BinarySignature:
        MicrosoftSignedOnly                : NOTSET
        AllowStoreSignedBinaries           : NOTSET
        EnforceModuleDependencySigning     : NOTSET
        AuditMicrosoftSignedOnly           : ON
        AuditStoreSigned                   : NOTSET
        AuditEnforceModuleDependencySigning: NOTSET
        Override MicrosoftSignedOnly       : False
        Override DependencySigning         : False
    FontDisable:
        DisableNonSystemFonts              : NOTSET
        Audit                              : NOTSET
        Override FontDisable               : False
    ImageLoad:
        BlockRemoteImageLoads              : NOTSET
        AuditRemoteImageLoads              : NOTSET
        Override BlockRemoteImages         : False
        BlockLowLabelImageLoads            : NOTSET
        AuditLowLabelImageLoads            : NOTSET
        Override BlockLowLabel             : False
        PreferSystem32                     : NOTSET
        AuditPreferSystem32                : NOTSET
        Override PreferSystem32            : False
    Payload:
        EnableExportAddressFilter          : NOTSET
        AuditEnableExportAddressFilter     : NOTSET
        Override ExportAddressFilter       : False
        EnableExportAddressFilterPlus      : NOTSET
        AuditEnableExportAddressFilterPlus : NOTSET
        Override ExportAddressFilterPlus   : False
        EAFModules                         : {}
        EnableImportAddressFilter          : NOTSET
        AuditEnableImportAddressFilter     : NOTSET
        Override ImportAddressFilter       : False
        EnableRopStackPivot                : NOTSET
        AuditEnableRopStackPivot           : NOTSET
        Override EnableRopStackPivot       : False
        EnableRopCallerCheck               : NOTSET
        AuditEnableRopCallerCheck          : NOTSET
        Override EnableRopCallerCheck      : False
        EnableRopSimExec                   : NOTSET
        AuditEnableRopCallerCheck          : NOTSET
        Override EnableRopSimExec          : False
    SEHOP:
        Enable                             : NOTSET
        TelemetryOnly                      : NOTSET
        Audit                              : NOTSET
        Override SEHOP                     : False
    Heap:
        TerminateOnError                   : NOTSET
        Override HEAP                      : False
    Child Process:
        DisallowChildProcessCreation       : NOTSET
        Audit                              : NOTSET
        Override ChildProcess              : False

    My question: Why do I get an Event ID 12 (Code integrity guard block)? From my unterstanding CIG is configured in audit mode for svchost. Why should Event ID 12 be a CFG Event? Is the documentation wrong?


    • Edited by BondiSurfer Thursday, July 26, 2018 1:45 PM
    Thursday, July 26, 2018 1:42 PM
  • I configured CFG to suppress the system settings and turned it off for svchost and I stopped receiving the event.

    I am guessing bad documentation.
    Thursday, July 26, 2018 1:50 PM