Replies: 4 comments
-
|
Additional info I've since found. The AppControlCodeIntegrityPolicyAudited action type has the file info and AppControlCodeIntegritySigningInformation has the publisher/signer info. They seem to have the SHA256 field in common, so I'll try manually cobbling them together to see if that works in the Wizard. |
Beta Was this translation helpful? Give feedback.
-
|
Hey @iainfm, can you share an export of the Advanced Hunting results to my email - jordan.geurten@microsoft.com. Zoom.exe not having associated publisher info is concerning to me |
Beta Was this translation helpful? Give feedback.
-
|
Hi Jordan,
Many thanks for getting in touch. I have attached a few things that I hope
will help you.
1) The Advanced Hunting results that I've been trying to use with WDAC
Wizard
2) A screenshot of how Zoom.exe appears in WDAC Wizard when I open the
Advanced Hunting log
3) The CodeIntegrity event log export from my device (U-000791420457)
4) A screenshot of how Zoom.exe appears when reading the evtx file or event
log directly.
It is not just Zoom that is behaving this way, however. I see a similar
problem with the Bomgar binaries (bomgar-scc.exe, bomgar-rep.exe etc) and
many others.
Please let me know if there's anything else you need.
Best wishes,
Iain
[image: 3) Screenshot 2023-08-02 195811.png]
[image: 4) Screenshot 2023-08-02 195955.png]
…On Wed, 2 Aug 2023 at 19:41, Jordan Geurten ***@***.***> wrote:
Hey @iainfm <https://github.com/iainfm>, can you share an export of the
Advanced Hunting results to my email - ***@***.***
Zoom.exe not having associated publisher info is concerning to me
—
Reply to this email directly, view it on GitHub
<#272 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE77GDA45RK3K53TFRMDTSDXTKNMDANCNFSM6AAAAAA3BKA3KE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
-
|
I have root caused the issue in the Wizard - #273 Thanks again for reporting it. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I'm using the sample KQL here to export WDAC events to CSV Advanced Hunting files to then import into WDAC Wizard.
I'm running into a lot of cases where publisher (and other) info isn't present in the logs when they're imported into WDAC Wizard. For example, Zoom.exe from the logs only shows as having path and file hash information.
However, if I parse my own device's event logs all the fields for Publisher, File Attributes and Packaged App (with the exception of package name) are present.
I'm not sure if this is a fault of the KQL, the Wizard, or something incorrect in my DFE setup. If I search for "zoom.exe" in the advanced hunting results the IssuerName, PublishedName, etc fields are all blank. If I search for "Zoom" I can see results containing "Zoom Video Communications, Inc." as the publisher but conversely these lines have no Filename or FolderPath.
It's a bit like there are two rows being created for every event - one that has the filename/path/hash and one that has the publisher/signing info...and these need to be joined into one line somehow.
Any advice would be greatly appreciated!
PS This problem is not limited to Zoom - I'm getting it for a lot of results, but not all. Happy to share an export if it would help.
Beta Was this translation helpful? Give feedback.
All reactions