With the relentless proliferation of compiled and script-based malware, trusting prevention and detection to antivirus solutions alone simply won't cut it. The only ideal method of effectively blocking binaries and scripts on a host is with a robust whitelisting solution. Device Guard is one such solution provided my Microsoft for Windows 10 and Server 2016 and if implemented properly, can eliminate an entire suite of attacks your organization may face.
Device Guard, like any other whitelisting solution, will never be impervious to bypasses, however. A robust solution will, however, provide mechanisms to block known bypasses. Device Guard provides such functionality in addition to providing features that can effectively block rogue administrators from altering policies or disabling the service.
In this talk, we will discuss configuration and deployment of an aggressive whitelisting policy, bypasses to the policy through exploitation of trusted applications, and mitigation strategies for effectively blocking such bypasses. We will also explain our methodology for uncovering bypass techniques to help better prepare your organization.