As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: youtu.be/1H9tEfkjFXs?t=
Conversation
1
15
Whether or not they are expired is immaterial. You can use WDAC/HVCU to block any driver. ASR blocks from a predefined list of vulnerable drivers. HVCI has a stronger threat model which is important in this scenario because you assume someone who can load a driver is also admin.
2
6
27
Ah yes, it blocks known drivers for kernel memory access/EOP, not certificate abuse. Got that mixed up. Thanks.
1
7
WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need
webapp-wdac-wizard.azurewebsites.net is where you get the Wizard
2
2
11
2
9
Show replies
Show replies
Decided to quickly build a policy to block the Nvidia cert. oscc.be/wdac/WDAC-for- Short blog on how to build the XML. People working with #wdac should be able to use this. If you want to specifically build a deny policy, take note of this.
3
8
28
Show additional replies, including those that may contain offensive content
Show