Applixure User Ideas

Our customers made these suggestions for improving Applixure, add yours too!

"Kernel DMA protection" info in device data?

Hi! There's a thing called DMA attack available on Windows OS. We can protect it by using Group Policies and preventing certain types of devices of installing or accessing Firewire/Thunderbolt-ports. Here are 2 links about this case:

https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt

https://support.microsoft.com/en-us/topic/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-dma-and-thunderbolt-dma-threats-to-bitlocker-bf0ef10b-f563-5cfc-9740-8340b1d86a0c

From the latter link the first sentence however states that:

"For Windows version 1803 and later versions, if your platform supports the new Kernel DMA Protection feature, we recommend that you leverage that feature to mitigate Thunderbolt DMA attacks. "


The info about OS supporting Kernel DMA protection can be found as easily as running System Information and on the System Summary page there's a flag for Kernel DMA Protection (On | Off)


This would help to see the status of the DMA Protection and could help to either evaluate the need of Group Policy or make a decission if a device can be excluded from the the Group Policy made for restricting DMA.

  • Guest
  • Jan 17 2022
  • Shipped
  • Attach files
  • Admin
    Kalle Saunamäki commented
    January 27, 2022 06:59

    This is now available in the agent's security state data in new WindowsSecurity -subobject, along with number of other new attributes related to Windows -specific security features (App Control, App Guard, Memory Integrity etc.)

    ×

    Attachments Open full size

  • Admin
    Kalle Saunamäki commented
    January 18, 2022 14:41

    Thanks, that looks like the one that would be needed. The Powershell script referenced contains the actual API call.

    ×

    Attachments Open full size

  • Guest commented
    January 18, 2022 14:11

    Hi!


    You mean like this? There's at least a Powershell way to check it.


    https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6878

    ×

    Attachments Open full size

  • Admin
    Kalle Saunamäki commented
    January 18, 2022 11:31

    Thank you for the suggestion.

    While the information can be found from msinfo32 application for human consumption, in order to include this datapoint in Applixure device data we would need to find programmatic interface (API, WMI etc.) where Applixure could read that information. If such location is available, then having the information in the data could be added.

    ×

    Attachments Open full size

Related ideas