What's Changed
Significantly improved the Invoke-WDACSimulation cmdlet. The WDAC policy simulation is now out of the beta phase and is working very well. I've run it on more than 100k unique files belonging to multiple programs, the results have all been correct.
Some Use Cases of the Invoke-WDACSimulation cmdlet
-
Have a WDAC policy and you want to test whether all of the files of a program will be allowed by the policy without running the program first? Use this WDAC simulation to find out.
-
Employ this simulation method to discover files that are not explicitly specified in the WDAC policy but are still authorized to run by it. When you scan a folder to create a Supplemental policy for the files inside it, some files might not require to be mentioned in the xml policy file because they are already sanctioned using their certificate details by other files, so it would not be possible to check their availability merely by examining the XML file. Using this simulation, you will be able to confirm their eligibility and whether or not they are permitted by the WDAC policy, using robust automated methods of verification.
-
Identify files that have hash mismatch and will not be permitted by WDAC engine using signature. These files are typically found in questionable software because they are tampered with. They are still incorporated into the WDAC policy based on their certificate signature but when you execute them you will receive a blocked message. Use this WDAC simulation feature to detect them without running them first.
-
And more.
Continue reading about this cmdlet in this document
Related PR: #134