In Windows 10 and Windows 11, the Windows Defender Application Control (WDAC) and AppLocker are available as security features in Windows 10/11 Enterprise editions. So Microsoft he published a list of proposed exclusion rules in mid-May 2022.
Microsoft's proposed blocking rules, dated May 13, 2022, state the applications which should be blocked by default in WDAC on Windows 10, Windows 11 and Windows Server (2016 and later) operating systems.
The list of applications below was created in collaboration with members of the security community. Microsoft recommends blocking the following applications or files because they could be used by an attacker to circumvent application acceptance policies and control Windows Defender applications.
See the list:
- addinprocess.exe
- addinprocess32.exe
- addinutil.exe
- aspnet_compiler.exe
- bash.exe
- bginfo.exe
- cdb.exe
- cscript.exe
- csi.exe
- dbghost.exe
- dbgsvc.exe
- dnx.exe
- dotnet.exe
- fsi.exe
- fsiAnyCpu.exe
- infdefaultinstall.exe
- kd.exe
- kill.exe
- lxssmanager.dll
- lxrun.exe
- Microsoft.Build.dll
- Microsoft.Build.Framework.dll
- Microsoft.Workflow.Compiler.exe
- msbuild.exe2
- msbuild.dll
- mshta.exe
- ntkd.exe
- ntsd.exe
- powershellcustomhost.exe
- rcsi.exe
- runscripthelper.exe
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
- wfc.exe
- windbg.exe
- wmic.exe
- wscript.exe
- wsl.exe
- wslconfig.exe
- wslhost.exe
Regarding BGInfo, we should mention that one security gap in bginfo.exe fixed in version 4.22 (current version is 4.28). Those using BGInfo should download the latest version to be safe. BGInfo versions prior to 4.22 are still vulnerable and should be blocked.