My AppLocker XML file has a nested structure including:
<FileHashRule Id="48e2907a-3432-35b2-87b5-89de5769d92e" Name="Contoso 4.1.10 exe Filehash 592" Description="Contoso 4.1.10 exe Filehash" UserOrGroupSid="S-1-5-21-26123456789-2279876534-295667819-1273219" Action="Allow">
<Conditions>
<FileHashCondition>
<FileHash Type="SHA256" Data="0x16D850A2FB71A0EABE6206089453120FD5BBED78BBE184BA4ADF017C27931FC6" SourceFileName="subcont.87FA373EE1BBDFF4C32E3FD11E4BBC5ECE3ACB00.exe" SourceFileLength="13824"/>
<FileHash Type="SHA256" Data="0x31BE12F24FA4BC1E4DEA50BF89E8C907D258CB5470AEFAC7FBAAD6F948A95459" SourceFileName="assistcont.FE7E3A542CF5465A68431ABBBBC370B18A2AA9A7.exe" SourceFileLength="886272"/>
<FileHash Type="SHA256" Data="0x093EC974186215147DFD2DA6C893C918DB970B844E1D7F050B15058CFC693087" SourceFileName="contdelete.620602014029188140BCA5FC4755909AD1E389B2.exe" SourceFileLength="830464"/>
...When I use the AppLocker converter tool, parts like this are converted like:
<Allow ID="ID_ALLOW_B_12136_SHA256" FriendlyName="Contoso 4.1.10 exe Filehash 602" Hash="16D850A2FB71A0EABE6206089453120FD5BBED78BBE184BA4ADF017C27931FC6"/>
<Allow ID="ID_ALLOW_B_12137_SHA256" FriendlyName="Contoso 4.1.10 exe Filehash 602" Hash="31BE12F24FA4BC1E4DEA50BF89E8C907D258CB5470AEFAC7FBAAD6F948A95459"/>
<Allow ID="ID_ALLOW_B_12138_SHA256" FriendlyName="Contoso 4.1.10 exe Filehash 602" Hash="093EC974186215147DFD2DA6C893C918DB970B844E1D7F050B15058CFC693087"/>
so the "nesting" is flatten and the actual executables are wrongly replaced by the main program name.
The expected result should be that the WDAC XML should report the name of the actual exe files like:
<Allow ID="ID_ALLOW_B_12136_SHA256" FriendlyName="subcont.exe (Contoso 4.1.10)" Hash="16D850A2FB71A0EABE6206089453120FD5BBED78BBE184BA4ADF017C27931FC6"/>
<Allow ID="ID_ALLOW_B_12137_SHA256" FriendlyName="assistcont.exe (Contoso 4.1.10)" Hash="31BE12F24FA4BC1E4DEA50BF89E8C907D258CB5470AEFAC7FBAAD6F948A95459"/>
<Allow ID="ID_ALLOW_B_12138_SHA256" FriendlyName="contdelete.exe (Contoso 4.1.10)" Hash="093EC974186215147DFD2DA6C893C918DB970B844E1D7F050B15058CFC693087"/>
Can you please fix this use case?
My AppLocker XML file has a nested structure including:
When I use the AppLocker converter tool, parts like this are converted like:
so the "nesting" is flatten and the actual executables are wrongly replaced by the main program name.
The expected result should be that the WDAC XML should report the name of the actual exe files like:
Can you please fix this use case?