What's Changed

General Improvements

• Changed -LogSize parameter types to unsigned integers since they do not accept negative values. Made the same change internally to a few variables.
• Removed -Level and -Fallbacks parameters from New-DenyWDACConfig -Drivers and instead assigned WHQLFilePublisher to the level and None to the fallbacks. The created policies always enforce WHQL criteria and since the drivers are being scanned, WHQLFilePublisher is the best level to use.
• Improved event logs collection and processing by making it more resilient and to prevent repetitive codes in the module. Now only one function is used whenever event logs need to be collected anywhere in the module.
  • This new function collects every piece of available information about each event, groups similar correlated events together and processes them properly for extreme visibility.
• New cmdlet 🧁 Get-CiFileHashes 🧁 calculates SHA1 and SHA2-256 Authenticode and first Page hash of the PE files. For non-conformant files, it calculates the Flat file hashes. All calculations happen according to the WDAC and Code Integrity requirements in Windows.
• New cmdlet 🧁 ConvertTo-WDACPolicy 🧁 presents the Code Integrity logs in a graphical interface (GUI) and enables the user to choose the logs. The logs can be filtered in various ways, such as Date, Type, Policy that generated them, and so on.

WDAC Simulation

• Since .bat and .ocx file types do not support Authenticode signing, the simulation no longer checks for their signature, leading to overall performance improvements.
• Improved performance of the simulation by handling non-conformant files faster using WDACConfig module itself.

PR: #202