Conversation

din
@dinqr0
is there going to be a center to dispute and or resolve issues that cause a driver to be in the blocklist? I think this is scary without any sort of (actually supported) way of resolving “vulnerabilities” & unblocking in a blacklisted driver.
1
3
David Kaplan
@depletionmode
It depends on what you mean by ‘vulnerabilities’. One must consider not just malicious or ‘vulnerable’ drivers but also ‘dual-use’ - those that can have legit uses but also are leveraged by attackers to affect security posture/bypass sec stack.
2
1
din
@dinqr0
you raise a good point but I can think of a notable example in sysinternals very own procexp.. I hate to raise up the KPH point but why is this: github.com/Yaxser/Backstab not a issue to blacklist over but KPH apparently is by its nature? I know sysinternals is MS tooling,but cmon..
github.com
GitHub - Yaxser/Backstab: A tool to kill antimalware protected processes
A tool to kill antimalware protected processes. Contribute to Yaxser/Backstab development by creating an account on GitHub.
1
1
din
@dinqr0
I’m sure there’s more, though. My main question is what exactly qualifies some driver as “dual use”? How severe do issues need to be to warrant driver blacklisting? I’d just like to see a detailed page eventually on the exact process and specifics, it’s only fair to driver devs🤷
1
David Kaplan
@depletionmode
I hear you. We have efforts going on internally to define the bounds around this. There is nuance here in terms of getting the balance right. But what I can say is that we’re very serious about providing both the expected level of security and the necessary manageability controls
1
1