WDAC Base Policy Is Blocking Apps like Tor Browser, G'MIC (plugin for GIMP) but I don't know which rule #500
Description
Hi,
I have WDAC setup in a windows active directory environment. I setup a base policy (with recommended user mode block and kernel block rules enabled - I think these are the same as the "Recommended block rules & Driver block rules)) for workstations and this policy is causing some apps to be blocked, such as:
- Tor Browser:
Event viewer messages:
Code Integrity determined that a process (\Device\HarddiskVolume3\Users\user\Desktop\Tor Browser\Browser\updater.exe) attempted to load \Device\HarddiskVolume3\Users\user\Desktop\Tor Browser\Browser\firefox.exe that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{848xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}).
Code Integrity determined that a process (\Device\HarddiskVolume3\Users\user\Desktop\Tor Browser\Browser\updater.exe) attempted to load \Device\HarddiskVolume3\Users\user\Desktop\Tor Browser\Browser\firefox.exe that did not meet the Enterprise signing level requirements.
- WinFSP
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume3\Program Files (x86)\WinFsp\SxS\sxs.20251122T163008Z\bin\launcher-x64.exe that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{848xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx).
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume3\Program Files (x86)\WinFsp\SxS\sxs.20251122T163008Z\bin\launcher-x64.exe that did not meet the Enterprise signing level requirements.
- G'MIC plugin for GIMP:
Event viewer messages:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \domain.com\dfs\domain_user_profiles\user\home\Downloads\gmic_3.6.4_gimp3.0_win64.exe that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{848xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}).
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\Mup\muchxbt.com\dfs\domain_user_profiles\user\home\Downloads\gmic_3.6.4_gimp3.0_win64.exe that did not meet the Enterprise signing level requirements.
My Question:
Why are these being blocked or how can I make them be unblocked? Or at the minimum how do I know which specific rule is causing the block so I can maybe remove it? From what I can tell, I can only see which policy file is causing the block. There are thousands if not more rules in the policy so it seems impossible to pin point which rule exactly is causing the block.
Adding an allow rule in a separate supplemental policy file (or in the same base policy) still does not allow the app/file to run. The base policy rule seems to override it.